← Scan another repo

github.com/OWASP/NodeGoat

Submitted 6/8/2026, 9:09:26 PM · Status: ok

Risk grade
F
100 / 100
Findings
184
21 critical89 high54 medium19 low1 info0 on CISA KEV0ATT&CK
Showing 184 of 184 findings

Findings

  • Arbitrary Code Execution in underscore
    grype
  • Code injection in fsevents
    grype
  • Deserialization of Untrusted Data in bson
    grype
  • Malware in fsevents
    grype
  • Prototype Pollution in minimist
    grype
  • Prototype Pollution in minimist
    grype
  • Prototype Pollution in minimist
    grype
  • Prototype Pollution in minimist
    grype
  • Prototype Pollution in mixin-deep
    grype
  • Prototype Pollution in set-value
    grype
  • Prototype Pollution in set-value
    grype
  • bson: Deserialization of Untrusted Data could result in Code injection or Excessive CPU load
    All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
    trivy
  • Code injection in fsevents
    fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was con…
    trivy
  • minimist: prototype pollution
    Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    trivy
  • minimist: prototype pollution
    Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    trivy
  • minimist: prototype pollution
    Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    trivy
  • minimist: prototype pollution
    Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    trivy
  • nodejs-mixin-deep: prototype pollution in function mixin-deep
    mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
    trivy
  • nodejs-set-value: prototype pollution in function set-value
    set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
    trivy
  • nodejs-set-value: prototype pollution in function set-value
    set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
    trivy
  • nodejs-underscore: Arbitrary code execution via the template function
    The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
    trivy
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected private-key: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption
    Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    gitleaks
  • Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
    grype
  • Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
    grype
  • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
    grype
  • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
    grype
  • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
    grype
  • Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
    grype
  • Arbitrary local file read vulnerability during template rendering
    grype
  • body-parser vulnerable to denial of service when url encoding is enabled
    grype
  • debug Inefficient Regular Expression Complexity vulnerability
    grype
  • decode-uri-component vulnerable to Denial of Service (DoS)
    grype
  • Denial of Service in mongodb
    grype
  • Inefficient Regular Expression Complexity in marked
    grype
  • Inefficient Regular Expression Complexity in marked
    grype
  • inflect vulnerable to Inefficient Regular Expression Complexity
    grype
  • ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
    grype
  • minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    grype
  • minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    grype
  • minimatch ReDoS vulnerability
    grype
  • minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    grype
  • node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
    grype
  • node-tar Symlink Path Traversal via Drive-Relative Linkpath
    grype
  • node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
    grype
  • path-to-regexp contains a ReDoS
    grype
  • path-to-regexp outputs backtracking regular expressions
    grype
  • path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
    grype
  • Prototype Pollution in nconf
    grype
  • Prototype Pollution in nconf
    grype
  • Prototype Pollution in set-value
    grype
  • Prototype Pollution in set-value
    grype
  • Prototype Pollution in y18n
    grype
  • qs vulnerable to Prototype Pollution
    grype
  • Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
    grype
  • Regular Expression Denial of Service in marked
    grype
  • Regular Expression Denial of Service in uglify-js
    grype
  • semver vulnerable to Regular Expression Denial of Service
    grype
  • semver vulnerable to Regular Expression Denial of Service
    grype
  • tar has Hardlink Path Traversal via Drive-Relative Linkpath
    grype
  • Uncontrolled resource consumption in braces
    grype
  • Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
    grype
  • Validation Bypass in kind-of
    grype
  • bcrypt hash detected
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/artifacts/db-reset.js:19
  • bcrypt hash detected
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/artifacts/db-reset.js:28
  • bcrypt hash detected
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/artifacts/db-reset.js:36
  • Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process.
    Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/app/routes/contributions.js:32
  • Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process.
    Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/app/routes/contributions.js:33
  • Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process.
    Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/app/routes/contributions.js:34
  • Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.
    semgrep/tmp/scan-psc_e5fba7e1a70c95e12c4db2b7a8f5b92c/repo/artifacts/cert/server.key:1
  • A vulnerability classified as problematic has been found in debug-js d ...
    A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to addr…
    trivy
  • Arbitrary local file read vulnerability during template rendering
    Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.
    trivy
  • body-parser: Denial of Service Vulnerability in body-parser
    body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is…
    trivy
  • braces: fails to limit the number of characters it can handle
    The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program …
    trivy
  • decode-uri-component: improper input validation resulting in DoS
    decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
    trivy
  • Denial of Service in mongodb
    Versions of `mongodb` prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. ## Recommendation Upgrade to version 3.1.13 or later.
    trivy
  • express: "qs" prototype poisoning causes the hang of the node process
    qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payloa…
    trivy
  • inflect vulnerable to Inefficient Regular Expression Complexity
    inflect is vulnerable to Inefficient Regular Expression Complexity
    trivy
  • marked: regular expression block.def may lead Denial of Service
    Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable versi…
    trivy
  • marked: regular expression inline.reflinkSearch may lead Denial of Service
    Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of mark…
    trivy
  • minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a…
    trivy
  • minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh…
    trivy
  • minimatch: minimatch: Denial of Service via specially crafted glob patterns
    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact…
    trivy
  • nconf: Prototype pollution in memory store
    This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By provi…
    trivy
  • nconf: Prototype pollution in memory store
    This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By provi…
    trivy
  • node-tar: hardlink path traversal via drive-relative linkpath
    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar…
    trivy
  • node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t…
    trivy
  • node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that b…
    trivy
  • node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading t…
    trivy
  • node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS AP…
    trivy
  • nodejs-ini: Prototype pollution via malicious INI file
    This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
    trivy
  • nodejs-kind-of: ctorName in index.js allows external user input to overwrite certain internal attributes
    ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection r…
    trivy
  • nodejs-minimatch: ReDoS via the braceExpand function
    A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
    trivy
  • nodejs-semver: Regular expression denial of service
    Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
    trivy
  • nodejs-semver: Regular expression denial of service
    Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
    trivy
  • nodejs-set-value: type confusion allows bypass of CVE-2019-10747
    This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
    trivy
  • nodejs-set-value: type confusion allows bypass of CVE-2019-10747
    This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
    trivy
  • nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
    The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not e…
    trivy
  • nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
    The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel…
    trivy
  • nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
    The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e…
    trivy
  • nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
    The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i…
    trivy
  • nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
    The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This …
    trivy
  • nodejs-y18n: prototype pollution vulnerability
    The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
    trivy
  • path-to-regexp: Backtracking regular expressions cause ReDoS
    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will…
    trivy
  • path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x
    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path…
    trivy
  • path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters
    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu…
    trivy
  • tar: tar: File overwrite via drive-relative symlink traversal
    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur…
    trivy
  • The marked module is vulnerable to a regular expression denial of serv ...
    The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
    trivy
  • Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions
    Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a s…
    trivy

This report is public.