Safeguard
Topic

Vulnerability Analysis

In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.

568 articles

Vulnerability Analysis

Express qs library prototype pollution DoS (CVE-2022-24999)

CVE-2022-24999 lets attackers pollute Object.prototype through qs, the query-string parser Express relies on, crashing Node.js applications.

Jan 6, 20267 min read
Vulnerability Analysis

lodash merge/mergeWith prototype pollution (CVE-2018-3721)

A deep dive into CVE-2018-3721, the lodash merge/mergeWith prototype pollution flaw: its real-world impact, affected versions, and how to remediate it fast.

Jan 6, 20269 min read
Vulnerability Analysis

minimist prototype pollution (CVE-2020-7598)

A deep dive into CVE-2020-7598, the minimist prototype pollution vulnerability that rippled across the npm ecosystem, with impact, timeline, and remediation steps.

Jan 6, 20267 min read
Vulnerability Analysis

node-forge prototype pollution/signature verification issue (CVE-2020-7712)

node-forge's RSA signature verification (CVE-2022-24771/24772) and prototype pollution (CVE-2020-7720) let attackers forge trust decisions across X.509, PKCS#7, and PKCS#12 flows.

Jan 6, 20267 min read
Vulnerability Analysis

underscore.js template code injection (CVE-2021-23358)

CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.

Jan 5, 20267 min read
Vulnerability Analysis

EJS template engine RCE via client option (CVE-2022-29078)

CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.

Jan 5, 20267 min read
Vulnerability Analysis

ws WebSocket library header DoS (CVE-2021-32640)

CVE-2021-32640 lets attackers stall Node.js WebSocket servers via a crafted header in the widely-used ws npm package. Here's the fix.

Jan 5, 20267 min read
Vulnerability Analysis

protobufjs prototype pollution (CVE-2022-25878)

CVE-2022-25878 is a critical prototype pollution flaw in protobufjs. Here's what's affected, the CVSS/EPSS context, and how to remediate it fast.

Jan 5, 20268 min read
Vulnerability Analysis

Apache Struts CVE-2024-53677: The Path Traversal RCE

CVE-2024-53677 lets attackers abuse Struts file upload parameter pollution to plant webshells. Here is the chain, detection logic, and patch guidance.

Jan 5, 20267 min read
Vulnerability Analysis

socket.io-parser denial of service (CVE-2020-28477)

A remote, unauthenticated attacker could crash Socket.IO servers with one malformed packet. Here's the CVE-2020-28477 breakdown and how to fix it.

Jan 4, 20267 min read
Vulnerability Analysis

lodash property injection via merge functions (CVE-2018-16487)

CVE-2018-16487 let attackers pollute Object.prototype via lodash's merge, mergeWith, and defaultsDeep functions. Here's how it works and how to fix it.

Jan 4, 20267 min read
Vulnerability Analysis

npm registry package hijacking incidents (CVE-2015-8858 era)

CVE-2015-8858 anchors a broader era of npm registry package hijacking — tar-extraction path traversal, left-pad, and weak account security explained.

Jan 4, 20268 min read
Vulnerability Analysis (Page 20) — Supply Chain Security Blog | Safeguard