Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

Understanding filesystem takeover vulnerabilities in npm JavaScript package manager

On the 11th of December, 2019  a security vulnerability which extends to all major JavaScript package managers (npm, yarn and pnpm) was publicly disclosed. This vulnerability, discovered by security researcher Daniel Ruf, allows malicious actors to apply varied tactics of arbitrary file overwrites. In this article: How do Node.js command line packages work? How does […]

January 7, 2020

Malicious packages found to be typo-squatting in Python Package Index

Two malicious packages were removed from the Python Package Index (PyPI) this week. These packages, jeIlyfish (a misspelling of the package jellyfish only noticeable when using certain fonts) and python3-dateutil (impersonating the popular dateutil package), were taking advantage of something called “typo-squatting”. Typo-squatting occurs when a malicious package is uploaded with a name similar to […]

December 5, 2019

Snyk Unifies Open Source and Container Security for Coveo

It’s an exciting time for our team with the recent launch of Snyk Container and just coming back from KubeCon. The best validation though comes when users and customers find Snyk’s products valuable to their business.  Coveo, which uses artificial intelligence technology to personalize millions of digital experiences, started using Snyk for license management last […]

November 22, 2019

See Snyk and GitHub in action at GitHub Universe

At Snyk, we are committed to building security tools that help developers shift security left to embrace security and quality as early, easily, and efficiently as possible.  With the recent beta release of GitHub Actions, we decided to look at how we could help GitHub users adopt better security controls for DevOps and CI/CD workflows. […]

November 13, 2019

Why npm lockfiles can be a security blindspot for injecting malicious modules

I recently started playing around with the idea of threat modeling packages on the npm ecosystem. Can an event-stream incident happen again? How about other supply chain attacks? What will be the next vector of attack that we haven’t seen yet and might it be entirely preventable? And then, one day I had a eureka! […]

September 24, 2019

Sequelize ORM npm library found vulnerable to SQL Injection attacks

Object-Relational Mappers, also commonly referred to as ORMs, are a set of SQL libraries that help developers manage their database code by abstracting it into language constructs. SQL ORM libraries have been found to be great for SQL Injection prevention, but unfortunately they themselves may have security bugs that open the door for application-level SQL […]

September 11, 2019

Code execution back door found in Ruby’s rest-client library

On August 19th, 2019 rest-client, a simple HTTP and REST client for Ruby, reported a new security threat. A maintainer’s RubyGem account was compromised and a malicious third party installed a code execution back door. The exploit affects versions greater than 1.6.10 and less than 1.7.0.rc1. What happened? GitHub user juskoljo raised an issue on […]

August 21, 2019

Jackson Deserialization Vulnerability

On July 29th, 2019 a high severity Deserialization of Untrusted Data vulnerability ( CVE-2019-14379, CVE-2019-14439) affecting all versions of com.fasterxml.jackson.core:jackson-databind up to 2.9.9.2 was published. For those of you who use Spring Boot, note that the current release (2.1.7) depends on the older vulnerable jackson-databind 2.9.9 package. We have already updated this in our database […]

August 21, 2019

A year-old dormant malicious remote code execution vulnerability discovered in Webmin

On August 17, 2019, the Webmin team announced the release of Webmin 1.930 and Usermin 1.780. These releases address a newly discovered remote command execution vulnerability found in Webmin versions 1.890 through 1.920. This vulnerability has been present for more than a year and was introduced by a malicious third party. Webmin is an interface […]

August 20, 2019

Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities in .NET ecosystem

Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]

July 25, 2019

Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating

Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]

July 25, 2019