Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Vulnerability Analysis

CVE-2020-8203: Prototype pollution in lodash zipObjectDeep

CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.

Oct 17, 20258 min read
Vulnerability Analysis

CVE-2021-23337: Command injection in lodash template func...

CVE-2021-23337 enables command injection via lodash's template function in versions before 4.17.21. Here's the CVSS context, timeline, and how to remediate it.

Oct 16, 20257 min read
Vulnerability Analysis

CVE-2021-44906: Prototype pollution in minimist

CVE-2021-44906 exposed a prototype pollution flaw in minimist versions before 1.2.6, letting attackers pollute Object.prototype via crafted parser keys.

Oct 16, 20257 min read
Vulnerability Analysis

CVE-2017-16137: ReDoS in debug package

CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.

Oct 16, 20258 min read
Vulnerability Analysis

CVE-2020-28469: ReDoS in glob-parent

CVE-2020-28469 is a ReDoS flaw in glob-parent before 5.1.2 that can hang processes parsing crafted glob strings. Here's the risk, timeline, and fix.

Oct 14, 20257 min read
Vulnerability Analysis

CVE-2018-1000620: ReDoS in marked markdown parser

A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.

Oct 14, 20258 min read
Vulnerability Analysis

CVE-2022-21681: Second ReDoS flaw in marked

CVE-2022-21681 is a ReDoS flaw in marked's inline tokenizer that lets crafted Markdown hang parsing. What's affected, severity, and how to remediate.

Oct 13, 20256 min read
Vulnerability Analysis

CVE-2022-25883: ReDoS in semver package

CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2021-3807: ReDoS in ansi-regex

A ReDoS flaw in the widely-depended-on ansi-regex npm package could hang Node.js processes on crafted input. Here's what's affected and how to fix it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2021-23364: ReDoS in browserslist

A regex denial of service in browserslist (CVE-2021-23364) could stall Node.js builds via crafted version strings. Here's the fix and how Safeguard catches it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2022-3517: ReDoS in minimatch pattern matching

CVE-2022-3517 is a high-severity ReDoS flaw in minimatch's glob-to-regex conversion, impacting a huge share of the npm ecosystem's dependency graph.

Oct 9, 20257 min read
Vulnerability Analysis

CVE-2021-43138: Code injection risk in async npm package

A prototype-pollution flaw in async's iterator functions (CVE-2021-43138) could escalate to code injection. Affected versions, severity, timeline, and remediation steps inside.

Oct 9, 20258 min read
npm-security (Page 9) — Safeguard Blog