nodejs-security
Safeguard articles tagged "nodejs-security" — guides, analysis, and best practices for software supply chain and application security.
34 articles
EJS template engine RCE via client option (CVE-2022-29078)
CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.
ws WebSocket library header DoS (CVE-2021-32640)
CVE-2021-32640 lets attackers stall Node.js WebSocket servers via a crafted header in the widely-used ws npm package. Here's the fix.
socket.io-parser denial of service (CVE-2020-28477)
A remote, unauthenticated attacker could crash Socket.IO servers with one malformed packet. Here's the CVE-2020-28477 breakdown and how to fix it.
minimatch regular expression denial of service (CVE-2022-3517)
A ReDoS flaw in minimatch (CVE-2022-3517) lets a single crafted string hang Node.js processes. Here's what's affected, the risk context, and how to fix it.
nth-check ReDoS vulnerability (CVE-2021-3803)
CVE-2021-3803 turned a niche CSS selector parser into an ecosystem-wide audit headache. Here's the real exploitability picture and how to fix it.
tough-cookie prototype pollution (CVE-2023-26136)
CVE-2023-26136: a prototype pollution flaw in tough-cookie hides deep in transitive Node.js dependencies. Impact, timeline, and remediation steps.
cross-spawn ReDoS vulnerability (CVE-2024-21538)
CVE-2024-21538 is a ReDoS flaw in the widely-used cross-spawn npm package. Learn the impact, CVSS/EPSS context, and how to remediate it.
Express.js open redirect vulnerability (CVE-2024-29041)
CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.
Object Injection Vulnerabilities in PHP and Node.js
PHP's unserialize() and Node's insecure deserialization both let attackers forge objects and execute code. Here's how object injection works and how to stop it.
Path Traversal Prevention in JavaScript/Node.js with path...
path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.
Insecure Deserialization Prevention in JavaScript: Avoidi...
How the node-serialize RCE flaw (CVE-2017-5941) works, why unsafe JS deserialization patterns persist, and concrete steps—plus how Safeguard catches them in CI.
CVE-2018-3728: Prototype pollution in hoek
CVE-2018-3728 is a prototype pollution flaw in Hoek's merge functions, exposing hapi.js and Joi-based apps to __proto__ injection. Here's the impact, fix, and remediation path.