Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

A post-mortem of the malicious event-stream backdoor

Last week the imaginable happened. A malicious package, flatmap-stream, was published to npm and was later added as a dependency to the widely used event-stream package by user right9ctrl. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. We wrote some early thoughts on our […]

December 6, 2018

Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months

A widely used npm package, event-stream, has been found to contain a malicious package named flatmap-stream. This was disclosed via a GitHub issue raised against the source repo. The event-stream package makes creating and working with streams easy, and is very popular, getting roughly 2 million downloads a week. The malicious child package has been […]

November 26, 2018

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects.

June 5, 2018

Attacking an FTP Client: MGETting more than you bargained for

Snyk identified and responsibly disclosed a directory traversal vulnerability found in FTP clients that connect to malicious servers. This post contains the full details of the vulnerability and what you can do to avoid it.

April 4, 2018

Snyk is Now Integrated with Chrome’s Lighthouse

Today we have another exciting announcement: Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome’s Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site is.

April 3, 2018

What’s a known vulnerability?

A vulnerability is a vulnerability, whether known or not. The key difference between the two is the likelihood of an attacker to be aware of this vulnerability, and thus try to exploit it.

February 6, 2018

77% of 433,000 Sites Use Vulnerable JavaScript Libraries

Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. In this post, we take a deep dive into that problem space.

November 21, 2017

Exposed or not, vulnerabilities are dangerous

Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.

November 8, 2017

XSS Attacks: The Next Wave

It’s been over 10 years since Cross Site Scripting (XSS) became big news, awareness has grown and defenses have become much more sophisticated. But, as we show in this post, recent data indicates XSS attacks are only increasing.

June 8, 2017

Which of the OWASP Top 10 Caused the World’s Biggest Data Breaches?

The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals, but it doesn't currently take into account how often those vulnerabilities are used by hackers. We dug through security breach records to see which vulnerabilities are exploited most frequently.

May 10, 2017

Fixing a Prototype Override Protection Bypass Vulnerability in qs

Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it. qs is a popular npm package—just under 40 million downloads over the past […]

March 14, 2017