Nodejs-ecosystem


reports in last 90 days

182

disclosed resolved issues

6

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Man-in-the-Middle kadler15 Time to triage: 30 Days and 15 hours


Time to close: 99 Days and 21 hours
Resolved

Low Application level denial of service due to shutting down the server

Denial of Service 3la2kb Time to triage: 1 Days and 15 hours


Time to close: 68 Days and 23 hours
Resolved

Medium [larvitbase-api] Unintended Require

Remote File Inclusion inkz Time to triage: 6 Days and 2 hours


Time to close: 101 Days and 18 hours
Resolved

Medium [public] Path traversal using symlink

Path Traversal chybeta Time to triage: 57 Days and 1 hours


Time to close: 0 Days and 0 hours
Resolved

Critical gitlabhook OS Command Injection

OS Command Injection garumpage Time to triage: 3 Days and 2 hours


Time to close: 9 Days and 22 hours
Resolved

Low [http_server] Stored XSS in the filename when directories listing

Cross-site Scripting (XSS) - Stored lightangel1412 Time to triage: 0 Days and 22 hours


Time to close: 122 Days and 16 hours
Resolved

Low environment variable leakage in error reporting

Information Exposure Through an Error Message mcollina Time to triage: 1 Days and 14 hours


Time to close: 150 Days and 9 hours
Resolved

Medium [larvitbase-www] Unintended Require

Remote File Inclusion inkz Time to triage: 0 Days and 14 hours


Time to close: 111 Days and 18 hours
Resolved

High [statichttpserver] List any file in the folder by using path traversal.

Path Traversal toannc123 Time to triage: 3 Days and 2 hours


Time to close: 76 Days and 23 hours
Resolved

High Yarn transfers npm credentials over unencrypted http connection

Missing Encryption of Sensitive Data chalker Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 23 hours
Resolved

Medium [min-http-server] Stored XSS in the filename when directories listing

None supplied lightangel1412 Time to triage: 2 Days and 13 hours


Time to close: 66 Days and 0 hours
Resolved

Medium [http-file-server] Stored XSS in the filename when directories listing

Cross-site Scripting (XSS) - Stored lightangel1412 Time to triage: 2 Days and 14 hours


Time to close: 66 Days and 0 hours
Resolved

High [http-file-server] List any files and sub folders in the folder by using path traversal.

Path Traversal toannc123 Time to triage: 2 Days and 23 hours


Time to close: 60 Days and 4 hours
Resolved

High [serve-here.js] List any file in the folder by using path traversal.

Path Traversal toannc123 Time to triage: 3 Days and 1 hours


Time to close: 44 Days and 22 hours
Resolved

Medium [takeapeek] XSS via HTML tag injection in directory lisiting page

Cross-site Scripting (XSS) - Stored skyn3t Time to triage: 0 Days and 15 hours


Time to close: 139 Days and 23 hours
Resolved

Medium [lactate] Static Web Server Directory Traversal via Crafted GET Request

Path Traversal ysx Time to triage: 1 Days and 9 hours


Time to close: 42 Days and 15 hours
Resolved

Medium [augustine] Static Web Server Directory Traversal via Crafted GET Request

Path Traversal ysx Time to triage: 1 Days and 3 hours


Time to close: 44 Days and 15 hours
Resolved

Low [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component

Cross-site Scripting (XSS) - Reflected ysx Time to triage: 16 Days and 18 hours


Time to close: 28 Days and 18 hours
Resolved

Medium [featurebook] Specification Server Directory Traversal via Crafted Browser Request

Path Traversal ysx Time to triage: 1 Days and 0 hours


Time to close: 30 Days and 14 hours
Resolved

Medium [serve-here] Static Web Server Directory Traversal via Crafted GET Request

Path Traversal ysx Time to triage: 1 Days and 4 hours


Time to close: 30 Days and 14 hours
Resolved

High `https-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak

Denial of Service chalker Time to triage: 0 Days and 18 hours


Time to close: 5 Days and 13 hours
Resolved

High `http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak

Denial of Service chalker Time to triage: 0 Days and 1 hours


Time to close: 1 Days and 23 hours
Resolved

Medium `protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files

Denial of Service chalker Time to triage: 0 Days and 13 hours


Time to close: 3 Days and 13 hours
Resolved

No rating Arbitrary file overwrites in `node-tar`

None supplied max Time to triage: 5 Days and 7 hours


Time to close: 303 Days and 0 hours
Resolved

Medium Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities

Classic Buffer Overflow webtonull Time to triage: 11 Days and 6 hours


Time to close: 374 Days and 16 hours
Resolved