Javascript Exploits
227 exploits tracked across all sources.
Node.js 18.0-18.20.6 - Path Traversal in Windows Drive Name Handling
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of `path.join` API.
by AikidoSec
mongoosejs/mongoose < 6.13.5 and >=8.0.0-rc0 <8.8.3 - Search Injection via $where in Match
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
by AikidoSec
axios 1.3.2-1.7.3 - Server-Side Request Forgery via Path Relative URL Processing
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
by AikidoSec
libuv 1.24.0-1.47.0 - Server-Side Request Forgery via Hostname Truncation
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
by AikidoSec
FUXA <= 1.1.12 - SQL Injection via /api/signin
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
by AikidoSec
dot-prop <4.2.1, <5.1.1 - Prototype Pollution
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
by AikidoSec
@firebase/util <0.3.4 - Code Injection
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
by AikidoSec
fast-http - Path Traversal via fs.readFile in index.js
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
by AikidoSec
ssh2 < 1.4.0 - OS Command Injection
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
by AikidoSec
node-df 0.1.4 - Remote Code Execution via Unsanitized Input
A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.
by AikidoSec
Sequelize <2.0.0-rc7 - SQL Injection
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
by AikidoSec
6 stars
st module for Node.js < 0.2.5 - Path Traversal via Encoded Dot-Dot Sequences
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
by AikidoSec
Firefox ESR < 60.7.2, Firefox < 67.0.4, Thunderbird < 60.7.2 - RCE
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
CVSS 10.0
SolarWinds Orion Network Performance Monitor < 10.3.1 - Cross-Site Scripting via SNMPD Configuration Fields
Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName field of an snmpd.conf file.
MyBB < 1.8.26 - Cross-Site Scripting via Nested Auto URL Message Parsing
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
CVSS 6.1
Apache Commons IO 2.0-2.13.0 - Uncontrolled Resource Consumption via XmlStreamReader
Uncontrolled Resource Consumption vulnerability in Apache Commons IO.
The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.
This issue affects Apache Commons IO: from 2.0 before 2.14.0.
Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
by PawelMurdzek
CVSS 4.3
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
by open-flaw
CVSS 9.0
Package Validator <13.15.22 - Incomplete Filtering
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
by open-flaw
CVSS 7.5
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
Google Chrome < 142.0.7444.59 - Type Confusion in V8
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
by dexterm300
Jenkins Script Security Plugin < 1.50 - Sandbox Bypass Remote Code Execution
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.
by wjl110
Local Privilege Escalation in polkits pkexec
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
by wjl110
Windows 10 and Windows Server 2016 - Use-After-Free in Win32k
Windows Win32k Elevation of Privilege Vulnerability
by wjl110
By Source