Safeguard
Tag

javascript-security

Safeguard articles tagged "javascript-security" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Vulnerability Analysis

protobufjs prototype pollution (CVE-2022-25878)

CVE-2022-25878 is a critical prototype pollution flaw in protobufjs. Here's what's affected, the CVSS/EPSS context, and how to remediate it fast.

Jan 5, 20268 min read
Vulnerability Analysis

lodash property injection via merge functions (CVE-2018-16487)

CVE-2018-16487 let attackers pollute Object.prototype via lodash's merge, mergeWith, and defaultsDeep functions. Here's how it works and how to fix it.

Jan 4, 20267 min read
Vulnerability Analysis

What is prototype pollution and why it keeps recurring in npm packages

Prototype pollution has hit lodash, jQuery, minimist, hoek, and immer since 2018. Here's how the bug works and why it keeps coming back in npm.

Dec 15, 20256 min read
Open Source Security

minimist Prototype Pollution and Its Ripple Effect Across...

CVE-2020-7598 is a prototype pollution bug in minimist that let attackers taint Object.prototype, rippling through thousands of npm dependents.

Dec 2, 20258 min read
Industry Analysis

DOM-Based XSS: Client-Side Sink Vulnerabilities

DOM-based XSS sink vulnerabilities let attacker data reach dangerous JavaScript sinks without touching the server, slipping past WAFs and static scanners.

Nov 8, 20258 min read
Industry Analysis

Prototype Pollution in JavaScript Applications

Prototype pollution has hit lodash, jQuery, and minimist with real CVEs, from DoS to RCE. Here's how the bug works and how Safeguard catches it before it ships.

Nov 8, 20257 min read
Incident Analysis

Polyfill.io supply chain attack

How a domain sale turned a trusted CDN into a malware vector for 100,000+ sites — and what the polyfill.io incident teaches defenders about third-party script risk.

Nov 8, 20257 min read
Industry Analysis

SQL Injection Prevention in Node.js/JavaScript

SQL injection still hits Node.js apps through raw drivers, Sequelize, Prisma, and Knex alike. Here's how it happens, what safe queries look like, and how to catch it in CI.

Oct 27, 20259 min read
Industry Analysis

XXE Prevention in JavaScript: Disabling libxmljs noent

How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.

Oct 22, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in JavaScript: Avoidi...

How the node-serialize RCE flaw (CVE-2017-5941) works, why unsafe JS deserialization patterns persist, and concrete steps—plus how Safeguard catches them in CI.

Oct 20, 20256 min read
Industry Analysis

Secure Random Number Generation in JavaScript with crypto...

Math.random() is predictable and unsafe for security tokens. Here's why Node's crypto.randomBytes() is the standard for secure JavaScript randomness.

Oct 20, 20257 min read
Vulnerability Analysis

CVE-2020-8203: Prototype pollution in lodash zipObjectDeep

CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.

Oct 17, 20258 min read
javascript-security (Page 2) — Safeguard Blog