A sample Router for a Netflix-like Application.

Known vulnerabilities2
Vulnerable paths2

Arbitrary Code Injection

high severity
  • Vulnerable module: pouchdb
  • Introduced through: pouchdb@4.0.3

Detailed paths

  • Introduced through: falcor-router-demo@1.0.5 pouchdb@4.0.3


pouchDB is an open-source JavaScript database inspired by Apache CouchDB that is designed to run well within the browser.

Vulnerable versions of the package had the evalView function in pouchdb-core to execute the view function without a sandbox. The fix was introduced in version 6.0.5, executing the view function in a sandbox and enforcing strict mode when running in Node.js.

The vulnerability was reported by micaksica.


Upgrade pouchDB to version 6.0.5 or later.


Uninitialized Memory Exposure

medium severity
  • Vulnerable module: bl
  • Introduced through: pouchdb@4.0.3

Detailed paths

  • Introduced through: falcor-router-demo@1.0.5 pouchdb@4.0.3 level-sublevel@6.6.1 levelup@0.19.1 bl@0.8.2


bl is a storage object for collections of Node Buffers.

A possible memory disclosure vulnerability exists when a value of type number is provided to the append() method and results in concatination of uninitialized memory to the buffer collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.


Constructing a Buffer class with integer N creates a Buffer of length N with raw (not "zero-ed") memory.

In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":

// uninitialized Buffer of length 100
            x = new Buffer(100);
            // initialized Buffer with value of '100'
            x = new Buffer('100');

bl's append function uses the default Buffer constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous Heartbleed flaw in OpenSSL.

const BufferList = require('bl')
            var bl = new BufferList()
            bl.append(new Buffer('abcd'))
            bl.append(new Buffer('efg'))
            // appends a Buffer holding 100 bytes of uninitialized memory
            bl.append(new Buffer('j'))

You can read more about the insecure Buffer behavior on our blog.

Similar vulnerabilities were discovered in request, mongoose, ws and sequelize.