Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

Fixing XXE Vulnerabilities in Nokogiri

We recently added a pair of high-severity XML External Entities (XXE) vulnerabilities found in the Nokogiri library to our vulnerability database. This post explains how the vulnerability works and discusses how to fix the exploit in your application. Nokogiri is a very popular library for parsing and extracting data from XML, SAX, Reader or HTML […]

February 14, 2017

Understanding Responsible Disclosures

Addressing security vulnerabilities is a constant battle. It’s a race between attackers and the organizations trying to keep them out. Unfortunately, the organizations lose frequently. As former FBI director, Robert Mueller put it, “…there are only two types of companies: those that have been hacked and those that will be.” To defend your system, you […]

January 31, 2017

Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking

The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.

January 17, 2017

The MongoDB hack and the importance of secure defaults

There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.

January 10, 2017

Fixing a Remote Code Execution Vulnerability in EJS

This week we added a high-severity Remote Code Execution vulnerability in the EJS package to our vulnerability database. EJS (Embedded JavaScript Templates) is a fast, simple and very popular JavaScript templating engine. EJS provides a few different options for you to render a template. Two of them, render and renderFile are fairly similar, the only […]

November 30, 2016

Fixing SQL Injection: ORM is not enough

Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.

June 8, 2016

Fixing `marked` XSS vulnerability

A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.

May 16, 2016