npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
CVE-2020-8203: Prototype pollution in lodash zipObjectDeep
CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.
CVE-2021-23337: Command injection in lodash template func...
CVE-2021-23337 enables command injection via lodash's template function in versions before 4.17.21. Here's the CVSS context, timeline, and how to remediate it.
CVE-2021-44906: Prototype pollution in minimist
CVE-2021-44906 exposed a prototype pollution flaw in minimist versions before 1.2.6, letting attackers pollute Object.prototype via crafted parser keys.
CVE-2017-16137: ReDoS in debug package
CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.
CVE-2020-28469: ReDoS in glob-parent
CVE-2020-28469 is a ReDoS flaw in glob-parent before 5.1.2 that can hang processes parsing crafted glob strings. Here's the risk, timeline, and fix.
CVE-2018-1000620: ReDoS in marked markdown parser
A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.
CVE-2022-21681: Second ReDoS flaw in marked
CVE-2022-21681 is a ReDoS flaw in marked's inline tokenizer that lets crafted Markdown hang parsing. What's affected, severity, and how to remediate.
CVE-2022-25883: ReDoS in semver package
CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.
CVE-2021-3807: ReDoS in ansi-regex
A ReDoS flaw in the widely-depended-on ansi-regex npm package could hang Node.js processes on crafted input. Here's what's affected and how to fix it.
CVE-2021-23364: ReDoS in browserslist
A regex denial of service in browserslist (CVE-2021-23364) could stall Node.js builds via crafted version strings. Here's the fix and how Safeguard catches it.
CVE-2022-3517: ReDoS in minimatch pattern matching
CVE-2022-3517 is a high-severity ReDoS flaw in minimatch's glob-to-regex conversion, impacting a huge share of the npm ecosystem's dependency graph.
CVE-2021-43138: Code injection risk in async npm package
A prototype-pollution flaw in async's iterator functions (CVE-2021-43138) could escalate to code injection. Affected versions, severity, timeline, and remediation steps inside.