Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
npm vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2022-0841
OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.
Npm-lockfile Project Npm-lockfile 2.0.3
Npm-lockfile Project Npm-lockfile 2.0.4
9.8
CVSSv3
CVE-2020-28445
This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function.
Npm-help Project Npm-help
9.8
CVSSv3
CVE-2020-7614
npm-programmatic up to and including 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly.
Npm-programmatic Project Npm-programmatic
9.8
CVSSv3
CVE-2022-29080
The npm-dependency-versions package up to and including 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value.
Npm-dependency-versions Project Npm-dependency-versions
7.5
CVSSv3
CVE-2017-16132
simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Simple-npm-registry Project Simple-npm-registry
9.8
CVSSv3
CVE-2017-16128
The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry.
Npm-script-demo Project Npm-script-demo 0.0.1
9.8
CVSSv3
CVE-2020-7795
The package get-npm-package-version prior to 1.0.7 are vulnerable to Command Injection via main function in index.js.
Get-npm-package-version Project Get-npm-package-version
7.8
CVSSv3
CVE-2018-7408
An issue exists in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local ...
Npmjs Npm 5.7.0
7.5
CVSSv3
CVE-2020-7754
This affects the package npm-user-validate prior to 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
Npmjs Npm-user-validate
8.1
CVSSv3
CVE-2016-10695
The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested r...
Mapbox Npm-test-sqlite3-trunk
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-20065
open redirect
CVE-2024-1086
path traversal
CVE-2024-29825
XXE
CVE-2024-29822
CVE-2024-20696
CVE-2024-3564
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »