Dremig
/ check-peer-dependencies
Created
March 10, 2026 12:05
check-peer-dependencies command-injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [PRODUCT] | |
| check-peer-dependencies | |
| [VERSION] | |
| 4.3.4 | |
| [PROBLEM TYPE] | |
| OS Command Injection (CWE-78) | |
| [DESCRIPTION] | |
| The Node.js package check-peer-dependencies contains an OS Command Injection vulnerability. This occurs because the library does not properly sanitize or validate package names extracted from the peerDependencies keys in package.json files before passing them directly to the shelljs.exec() function in files like dist/solution.js and dist/packageManager.js. An attacker can exploit this by crafting a malicious package.json file containing shell metacharacters (such as ;, &, or |) in the dependency names, leading to arbitrary system command execution when the tool attempts to check for solutions or install missing dependencies (e.g., via the --findSolutions or --install flags). | |
| [POC] | |
| const checkPeerDeps = require('check-peer-dependencies'); |
Dremig
/ Potential Arbitrary File Read For xmlhttprequest@1.8.0
Created
January 29, 2026 16:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [PRODUCT] | |
| xmlhttprequest | |
| [VERSION] | |
| 1.8.0 | |
| [PROBLEM TYPE] | |
| Arbitrary File Read | |
| [DESCRIPTION] | |
| The xmlhttprequest library (v1.8.0) is vulnerable to Arbitrary File Read due to the insecure handling of the file:// URI scheme within the send method in /lib/XMLHttpRequest.js. When a request is initialized via open() with a URL using the file protocol, the library bypasses network stack logic and directly utilizes the native fs.readFile or fs.readFileSync modules to retrieve data. Because the implementation fails to implement a sandbox or validate the file path against a whitelist, a remote attacker who can influence the URL parameter can exploit this to read sensitive system files (e.g., /etc/passwd, configuration files, or SSH keys) that the Node.js process has permission to access, leading to critical information disclosure. | |
| [POC] | |
| ```javascript |
Dremig
/ Vul for @expo sudo-prompt with a version 9.3.2
Created
January 29, 2026 13:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [PRODUCT] | |
| @expo/sudo-prompt | |
| [VERSION] | |
| 9.3.2 | |
| [PROBLEM TYPE] | |
| Command Injection | |
| [DESCRIPTION] | |
| The Node.js package @expo/sudo-prompt with version 9.3.2 contains a command injection vulnerability. | |
| This occurs because the library fails to properly sanitize environment variable values before concatenating them into a shell command string that is executed with elevated privileges | |
| [POC] |
Dremig
/ CVE-2025-61140
Last active
January 28, 2026 04:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2025-61140 | |
| [PRODUCT] | |
| jsonpath 1.1.1 | |
| [VERSION] | |
| jsonpath 1.1.1 | |
| [PROBLEM TYPE] | |
| Prototype Pollution | |
| [DESCRIPTION] | |
| The Node.js package jsonpath 1.1.1 contains a Prototype Pollution vulnerability. This occurs because the library does not properly sanitize or validate special object keys (such as __proto__, constructor, or prototype) within path expressions in lib/index.js. An attacker can exploit this via methods like value() function to modify the global Object.prototype. |
Dremig
/ CVE-2025-57285
Created
September 5, 2025 16:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2025-57285 | |
| [PRODUCT] | |
| codeceptjs 3.7.3 | |
| [VERSION] | |
| codeceptjs 3.7.3 | |
| [DESCRIPTION] | |
| codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands. | |
| [PROBLEM TYPE] | |
| Command Injection |
Dremig
/ CVE-2025-57283
Created
September 5, 2025 16:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2025-57283 | |
| [PRODUCT] | |
| browserstack-local 1.5.8 | |
| [VERSION] | |
| browserstack-local 1.5.8 | |
| [PROBLEM TYPE] | |
| Command Injection | |
| [DESCRIPTION] | |
| The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2025-57282 | |
| [PRODUCT] | |
| ngrok 5.0.0-beta.2 | |
| [VERSION] | |
| ngrok 5.0.0-beta.2 | |
| [PROBLEM TYPE] | |
| Command Injection | |
| [DESCRIPTION] | |
| ngrok 5.0.0-beta.2 is vulnerable to Command Injection. |