Safeguard
Tag

nodejs-security

Safeguard articles tagged "nodejs-security" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Vulnerability Analysis

EJS template engine RCE via client option (CVE-2022-29078)

CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.

Jan 5, 20267 min read
Vulnerability Analysis

ws WebSocket library header DoS (CVE-2021-32640)

CVE-2021-32640 lets attackers stall Node.js WebSocket servers via a crafted header in the widely-used ws npm package. Here's the fix.

Jan 5, 20267 min read
Vulnerability Analysis

socket.io-parser denial of service (CVE-2020-28477)

A remote, unauthenticated attacker could crash Socket.IO servers with one malformed packet. Here's the CVE-2020-28477 breakdown and how to fix it.

Jan 4, 20267 min read
Vulnerability Analysis

minimatch regular expression denial of service (CVE-2022-3517)

A ReDoS flaw in minimatch (CVE-2022-3517) lets a single crafted string hang Node.js processes. Here's what's affected, the risk context, and how to fix it.

Jan 3, 20267 min read
Vulnerability Analysis

nth-check ReDoS vulnerability (CVE-2021-3803)

CVE-2021-3803 turned a niche CSS selector parser into an ecosystem-wide audit headache. Here's the real exploitability picture and how to fix it.

Jan 2, 20268 min read
Vulnerability Analysis

tough-cookie prototype pollution (CVE-2023-26136)

CVE-2023-26136: a prototype pollution flaw in tough-cookie hides deep in transitive Node.js dependencies. Impact, timeline, and remediation steps.

Jan 2, 20268 min read
Vulnerability Analysis

cross-spawn ReDoS vulnerability (CVE-2024-21538)

CVE-2024-21538 is a ReDoS flaw in the widely-used cross-spawn npm package. Learn the impact, CVSS/EPSS context, and how to remediate it.

Jan 1, 20267 min read
Vulnerability Analysis

Express.js open redirect vulnerability (CVE-2024-29041)

CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.

Jan 1, 20267 min read
Industry Analysis

Object Injection Vulnerabilities in PHP and Node.js

PHP's unserialize() and Node's insecure deserialization both let attackers forge objects and execute code. Here's how object injection works and how to stop it.

Nov 9, 20257 min read
Industry Analysis

Path Traversal Prevention in JavaScript/Node.js with path...

path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.

Oct 25, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in JavaScript: Avoidi...

How the node-serialize RCE flaw (CVE-2017-5941) works, why unsafe JS deserialization patterns persist, and concrete steps—plus how Safeguard catches them in CI.

Oct 20, 20256 min read
Vulnerability Analysis

CVE-2018-3728: Prototype pollution in hoek

CVE-2018-3728 is a prototype pollution flaw in Hoek's merge functions, exposing hapi.js and Joi-based apps to __proto__ injection. Here's the impact, fix, and remediation path.

Oct 16, 20257 min read
nodejs-security (Page 2) — Safeguard Blog