Vulnerability Analysis
In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.
568 articles
Express qs library prototype pollution DoS (CVE-2022-24999)
CVE-2022-24999 lets attackers pollute Object.prototype through qs, the query-string parser Express relies on, crashing Node.js applications.
lodash merge/mergeWith prototype pollution (CVE-2018-3721)
A deep dive into CVE-2018-3721, the lodash merge/mergeWith prototype pollution flaw: its real-world impact, affected versions, and how to remediate it fast.
minimist prototype pollution (CVE-2020-7598)
A deep dive into CVE-2020-7598, the minimist prototype pollution vulnerability that rippled across the npm ecosystem, with impact, timeline, and remediation steps.
node-forge prototype pollution/signature verification issue (CVE-2020-7712)
node-forge's RSA signature verification (CVE-2022-24771/24772) and prototype pollution (CVE-2020-7720) let attackers forge trust decisions across X.509, PKCS#7, and PKCS#12 flows.
underscore.js template code injection (CVE-2021-23358)
CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.
EJS template engine RCE via client option (CVE-2022-29078)
CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.
ws WebSocket library header DoS (CVE-2021-32640)
CVE-2021-32640 lets attackers stall Node.js WebSocket servers via a crafted header in the widely-used ws npm package. Here's the fix.
protobufjs prototype pollution (CVE-2022-25878)
CVE-2022-25878 is a critical prototype pollution flaw in protobufjs. Here's what's affected, the CVSS/EPSS context, and how to remediate it fast.
Apache Struts CVE-2024-53677: The Path Traversal RCE
CVE-2024-53677 lets attackers abuse Struts file upload parameter pollution to plant webshells. Here is the chain, detection logic, and patch guidance.
socket.io-parser denial of service (CVE-2020-28477)
A remote, unauthenticated attacker could crash Socket.IO servers with one malformed packet. Here's the CVE-2020-28477 breakdown and how to fix it.
lodash property injection via merge functions (CVE-2018-16487)
CVE-2018-16487 let attackers pollute Object.prototype via lodash's merge, mergeWith, and defaultsDeep functions. Here's how it works and how to fix it.
npm registry package hijacking incidents (CVE-2015-8858 era)
CVE-2015-8858 anchors a broader era of npm registry package hijacking — tar-extraction path traversal, left-pad, and weak account security explained.