Safeguard
Topic

Vulnerability Analysis

In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.

568 articles

Vulnerability Analysis

CVE-2022-0536: follow-redirects leaks Authorization heade...

CVE-2022-0536 let follow-redirects forward Authorization headers to third-party hosts on cross-domain redirects, exposing tokens and credentials.

Oct 12, 20258 min read
Vulnerability Analysis

CVE-2023-26159: SSRF/credential exposure in follow-redire...

CVE-2023-26159 shows how flawed URL parsing in follow-redirects let attackers trigger SSRF and leak Authorization headers across unintended hosts.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2024-37890: Denial of service in ws WebSocket library

CVE-2024-37890 lets attackers crash Node.js servers running vulnerable ws WebSocket versions with a single crafted request. Here's what's affected and how to fix it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2022-25883: ReDoS in semver package

CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2021-3803: ReDoS in nth-check CSS selector parser

CVE-2021-3803 is a ReDoS flaw in nth-check's CSS selector regex, reachable via css-select, svgo, and countless React build toolchains relying on them.

Oct 11, 20258 min read
Vulnerability Analysis

CVE-2021-3807: ReDoS in ansi-regex

A ReDoS flaw in the widely-depended-on ansi-regex npm package could hang Node.js processes on crafted input. Here's what's affected and how to fix it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2022-24999: Prototype pollution / DoS in qs querystri...

CVE-2022-24999 exposes a prototype pollution and denial-of-service flaw in the qs querystring library used across the Node.js ecosystem.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2021-23364: ReDoS in browserslist

A regex denial of service in browserslist (CVE-2021-23364) could stall Node.js builds via crafted version strings. Here's the fix and how Safeguard catches it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2020-7676: XSS in vue-template-compiler

CVE-2020-7676 is an XSS flaw in vue-template-compiler (pre-2.6.12) that lets attacker-controlled templates bypass URI sanitization. Impact, fix, and remediation.

Oct 10, 20257 min read
Vulnerability Analysis

CVE-2023-32314: Sandbox escape in vm2

CVE-2023-32314 let attackers escape the vm2 Node.js sandbox for remote code execution. Here's the CVSS 10.0 flaw, affected versions, timeline, and fixes.

Oct 10, 20258 min read
Vulnerability Analysis

CVE-2023-30547: Sandbox escape via Node custom inspect in...

CVE-2023-30547 lets attackers escape the vm2 Node.js sandbox via a crafted custom inspect method, achieving host code execution. Here's the impact, timeline, and fix.

Oct 10, 20258 min read
Vulnerability Analysis

CVE-2023-37466: Remote code execution via vm2 sandbox escape

A critical vm2 sandbox escape (CVE-2023-37466) lets untrusted JavaScript break out to achieve remote code execution on the host Node.js process.

Oct 10, 20257 min read
Vulnerability Analysis (Page 34) — Supply Chain Security Blog | Safeguard