Tag
#nodejs
### Summary The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. ### PoC - setup ``` mkdir ~/public123 move a png file under ~/public123 with name test.png cd npm i ipx ``` - `main.js` ```js import { createIPX, ipxFSStorage } from "ipx"; const ipx = createIPX({ storage: ipxFSStorage({ dir: "./public" }), }); (async () => { { const source = await ipx("../public123/test.png"); // access file outside ./public dir because of same prefix folder const { data, format } = await source.process(); console.log(format) // print image data } { try { const source = await ipx("../publi123/test.png"); // forbidden path: the prefix is not the same const { data, format } = await source.process(); console.log(data) } ca...
## Summary A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (`safe-eval`-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. A full blog post about how this vulnerability was uncovered can be found on [Socket's blog](https://socket.dev/blog/nestjs-rce-vuln). ## Details The `@nestjs/devtools-integration` package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, `/inspector/graph/interact`, accepts JSON input containing a `code` field and executes the provided code in a Node.js `vm.runInNewContext` sandbox. Key issues: 1. **Unsafe Sandbox:** The sandbox implementation closely resembles the abandoned `safe-eval` library. The No...
Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer "advanced license validation and registry optimization utilities for high-performance Node.js applications." It was uploaded to npm by a user named "Kodane" on July 28, 2025. The
Researchers discovered backdoors, poisoned code, and malicious commits in some of the more popular tool developers, jeopardizing software supply chains.
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). In fixing this we made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up. Note: this is distinct from the previous xml-crypto CVEs.
In what's the latest instance of a software supply chain attack, unknown threat actors managed to compromise Toptal's GitHub organization account and leveraged that access to publish 10 malicious packages to the npm registry. The packages contained code to exfiltrate GitHub authentication tokens and destroy victim systems, Socket said in a report published last week. In addition, 73 repositories
### Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. ### Details The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. #### Affected Resources - [Operations.php: 760](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L760) `createNode()` - [Operations.php: 868](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L868) `saveNode()` - [Operations.php: 1171](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1171) `deleteNode()` - [Operations.php: 1789](https://github.com/haxth...
### Summary A critical vulnerability exists in the form-data package used by `axios@1.10.0`. The issue allows an attacker to predict multipart boundary values generated using `Math.random()`, opening the door to HTTP parameter pollution or injection attacks. This was submitted in [issue #6969](https://github.com/axios/axios/issues/6969) and addressed in [pull request #6970](https://github.com/axios/axios/pull/6970). ### Details The vulnerable package `form-data@4.0.0` is used by `axios@1.10.0` as a transitive dependency. It uses non-secure, deterministic randomness (`Math.random()`) to generate multipart boundary strings. This flaw is tracked under [Snyk Advisory SNYK-JS-FORMDATA-10841150](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150) and [CVE-2025-7783](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150). Affected `form-data` versions: - <2.5.4 - >=3.0.0 <3.0.4 - >=4.0.0 <4.0.4 Since `axios@1.10.0` pulls in `form-data@4.0.0`, it is exposed to this issue. ### PoC...
### Summary All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites. ### PoC To replicate this vulnerability, load the target page in an iframe and observe the rendered content.  ### Impact An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (Clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application.
### Summary The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. ### Affected Resources - [HAXCMS.js](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614) HAXCMSClass ### Impact An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks.