In my recent collaboration with Microsoft Research, I found hundreds of security vulnerabilities in npm packages. So far, 300+ vulnerabilities have been validated by the community, including Snyk.io (E.g., [Vuln-1], [Vuln-2]), node security platform (e.g., [Vuln-3], [Vuln-4]), and package authors (E.g., [Vuln-5], [Vuln-6]). Among those issues, 250+ are considered as highly severe. A subset of those security issues is listed below. The proof-of-concepts of those security vulnerabilities are available.
Severity and Vulnerability Validated Vulnerable NPM Package
Severity: High Resources Downloaded over Insecure Protocol windows-build-tools *
Severity: High Directory Traversal f2e-server *
Severity: High Arbitrary File Write frvr *
Severity: High Resources Downloaded over Insecure Protocol edp-package *
Severity: Medium Directory Traversal hostr *
Severity: High Arbitrary File Write innomon *
Severity: Low  Insecure Hashing Algorithm contwidgetor *
Severity: High Arbitrary File Write connect-parse-php *
Severity: High Directory Traversal hftp *
Severity: High Arbitrary File Write mysql2csv *
Severity: High Directory Traversal zjjserver *
Severity: High Directory Traversal yzt *
Severity: High Directory Traversal yyooopack *
Severity: High Directory Traversal yttivy *
Severity: High Directory Traversal mfrs *
Severity: High Directory Traversal xtalk *
Severity: High Directory Traversal ltt *
Severity: High Directory Traversal xiongrui-httpserver *
Severity: High Directory Traversal ltt.js *
Severity: High Arbitrary File Write wisper *
Severity: High Arbitrary File Write thrushs *
Severity: High Directory Traversal wintiwebdev *
Severity: High Directory Traversal thrushs *
Severity: High Directory Traversal wind-mvc *
Severity: High Directory Traversal whispercast *
Severity: High Directory Traversal wenluhong1 *
Severity: High Directory Traversal rtcmulticonnection-client *
Severity: High Arbitrary File Write lam *
Severity: High Directory Traversal weather.swlyons *
Severity: High Resources Downloaded over Insecure Protocol given-html-report *
Severity: High Directory Traversal wangguojing123 *
Severity: High Directory Traversal uv-tj-demo *
Severity: High Arbitrary File Write parse-ssi *
Severity: High Directory Traversal utahcityfinder *
Severity: High Directory Traversal unicorn-list *
Severity: High Directory Traversal uekw1511server *
Severity: High Directory Traversal tmock *
Severity: High Directory Traversal tinyserver2 *
Severity: High Directory Traversal tiny-http *
Severity: High Directory Traversal tencent-server *
Severity: High Directory Traversal static-html-server *
Severity: High Directory Traversal sspa *
Severity: High Directory Traversal sly07 *
Severity: High Directory Traversal shit-server *
Severity: High Directory Traversal sgqserve *
Severity: High Directory Traversal serverzyy *
Severity: High Directory Traversal serveryztyzt *
Severity: High Directory Traversal serveryaozeyan *
Severity: High Directory Traversal serverwzl *
Severity: High Directory Traversal serverwg *
Severity: High Directory Traversal serverlyr *
Severity: High Directory Traversal serverliujiayi1 *
Severity: High Directory Traversal serverhuwenhui *
Severity: High Directory Traversal serverabc *
Severity: High Directory Traversal run-this-place *
Severity: High Directory Traversal ritp *
Severity: High Directory Traversal reecerver *
Severity: High Directory Traversal quickserver *
Severity: High Directory Traversal qinserve *
Severity: High Directory Traversal pytservce *
Severity: High Directory Traversal picard *
Severity: High Directory Traversal peiserver *
Severity: High Directory Traversal open-device *
Severity: High Directory Traversal nodeload-nmickuli *
Severity: High Directory Traversal nodeaaaaa *
Severity: High Directory Traversal node-server-forfront *
Severity: High Directory Traversal zwserver *
Severity: High Directory Traversal myserver.alexcthomas18 *
Severity: High Directory Traversal myprolyz *
Severity: High Directory Traversal mockserve *
Severity: High Directory Traversal mfrserver *
Severity: High Directory Traversal looppake *
Severity: High Directory Traversal liyujing *
Severity: High Directory Traversal liuyaserver *
Severity: High Directory Traversal lessindex *
Severity: High Directory Traversal lab6.brit95 *
Severity: High Directory Traversal jn_jj_server *
Severity: High Directory Traversal jansenstuffpleasework *
Severity: High Directory Traversal iter-server *
Severity: High Directory Traversal iter-http *
Severity: High Directory Traversal intsol-package *
Severity: High Directory Traversal infraserver *
Severity: Medium Resources Downloaded over Insecure Protocol hubl-server *
Severity: High Directory Traversal hcbserver *
Severity: High Directory Traversal gomeplus-h5-proxy *
Severity: High Directory Traversal getcityapi.yoehoehne *
Severity: High Directory Traversal gaoxuyan *
Severity: High Directory Traversal gaoxiaotingtingting *
Severity: High Directory Traversal fsk-server *
Severity: High Directory Traversal fbr-client *
Severity: High Directory Traversal fast-http-cli *
Severity: High Directory Traversal exxxxxxxxxxx *
Severity: High Directory Traversal ewgaddis.lab6 *
Severity: High Directory Traversal enserver *
Severity: High Directory Traversal easyquick *
Severity: High Directory Traversal earlybird *
Severity: High Directory Traversal dylmomo *
Severity: High Directory Traversal dgard8.lab6 *
Severity: High Directory Traversal desafio *
Severity: High Directory Traversal dcserver *
Severity: High Directory Traversal datachannel-client *
Severity: High Directory Traversal dasafio *
Severity: High Directory Traversal cyber-js *
Severity: High Directory Traversal cuciuci *
Severity: High Resources Downloaded over Insecure Protocol craft-ai-icons *
Severity: High Directory Traversal city-weather-abe *
Severity: High Directory Traversal censorify.tanisjr *
Severity: High Directory Traversal calmquist.static-server *
Severity: High Directory Traversal badjs-sourcemap-server *
Severity: High Directory Traversal 22lixian *
Severity: High Directory Traversal 11xiaoli *
Severity: High Resources Downloaded over Insecure Protocol rocketmake-nuget *
Severity: High Directory Traversal citypredict.whauwiller *
Severity: High Directory Traversal dmmcquay.lab6 *
Severity: High Directory Traversal byucslabsix *
Severity: High Directory Traversal jikes *
Severity: High Directory Traversal scott-blanch-weather-app *
Severity: High Directory Traversal node-simple-router *
Severity: High Directory Traversal wffserve *
Severity: High Directory Traversal elding *
Severity: High Directory Traversal web-debug *

 

© Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley.