Skip to content

Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]

License

Notifications You must be signed in to change notification settings

JacksonGL/NPM-Vuln-PoC

Repository files navigation

NPM-Vuln-PoC

This repository contains the proof-of-concepts for vulnerabilities discovered in npm packages.

Warning: This repo will install vulnerable npm packages and test them to demonstrate the vulnerabilities. So running this project in a VM (with Linux or Mac OS) is highly recommended.

To reproduce the vulnerabilities, first install the vulnerable packages:

npm install

The following vulnerable packages require a global install or root privilege:

sudo npm install xtalk@0.0.7
sudo npm install nodeload-nmickuli@1.0.3
sudo npm install badjs-sourcemap-server@0.1.11

Then, start the PoC testing script:

sudo ./PoC.sh

Notice: some vulnerable packages start a web server on port 80, which requires root privilege. Therefore, sudo is prefixed in the above command.

Some vulnerable packages use APIs that are deprecated in Node.js v7.1+. To reproduce those vulnerabilities, try Node.js v4.6.x or Node.js v6.x.

Versions of those vulnerable packages can be found in the package.json file.

About

Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published