Safeguard
Tag

nodejs-security

Safeguard articles tagged "nodejs-security" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Vulnerability Analysis

CVE-2020-28469: ReDoS in glob-parent

CVE-2020-28469 is a ReDoS flaw in glob-parent before 5.1.2 that can hang processes parsing crafted glob strings. Here's the risk, timeline, and fix.

Oct 14, 20257 min read
Vulnerability Analysis

CVE-2022-0235: node-fetch forwards sensitive headers on r...

CVE-2022-0235: node-fetch forwarded cookie and authorization headers across cross-origin redirects. Affected versions, exploitability context, and remediation steps.

Oct 13, 20258 min read
Vulnerability Analysis

CVE-2022-0155: follow-redirects leaks Proxy-Authorization...

CVE-2022-0155: follow-redirects leaked Proxy-Authorization headers across hosts on redirect, exposing proxy credentials via axios and other widely used npm HTTP clients.

Oct 13, 20258 min read
Vulnerability Analysis

CVE-2022-0536: follow-redirects leaks Authorization heade...

CVE-2022-0536 let follow-redirects forward Authorization headers to third-party hosts on cross-domain redirects, exposing tokens and credentials.

Oct 12, 20258 min read
Vulnerability Analysis

CVE-2023-26159: SSRF/credential exposure in follow-redire...

CVE-2023-26159 shows how flawed URL parsing in follow-redirects let attackers trigger SSRF and leak Authorization headers across unintended hosts.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2024-37890: Denial of service in ws WebSocket library

CVE-2024-37890 lets attackers crash Node.js servers running vulnerable ws WebSocket versions with a single crafted request. Here's what's affected and how to fix it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2022-24999: Prototype pollution / DoS in qs querystri...

CVE-2022-24999 exposes a prototype pollution and denial-of-service flaw in the qs querystring library used across the Node.js ecosystem.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2023-32314: Sandbox escape in vm2

CVE-2023-32314 let attackers escape the vm2 Node.js sandbox for remote code execution. Here's the CVSS 10.0 flaw, affected versions, timeline, and fixes.

Oct 10, 20258 min read
Vulnerability Analysis

CVE-2023-37466: Remote code execution via vm2 sandbox escape

A critical vm2 sandbox escape (CVE-2023-37466) lets untrusted JavaScript break out to achieve remote code execution on the host Node.js process.

Oct 10, 20257 min read
Vulnerability Analysis

CVE-2021-43138: Code injection risk in async npm package

A prototype-pollution flaw in async's iterator functions (CVE-2021-43138) could escalate to code injection. Affected versions, severity, timeline, and remediation steps inside.

Oct 9, 20258 min read
nodejs-security (Page 3) — Safeguard Blog