Nodejs-ecosystem


Most disclosed vulnerability type (45 disclosures) — Path Traversal

bl4de has disclosed the most with 31 reports!

191 total issues disclosed

$750 total paid publicly


Accepts reports via HackerOne

Nodejs-ecosystem's top public payouts




Most recently disclosed


[node-downloader-helper] Path traversal via Content-Disposition header

@ Submitted by ryotak
Bug Type: Path Traversal

Disclosed on 2020-11-11

Rating: Medium


[expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

@ Submitted by mik317
Bug Type: Information Disclosure

Disclosed on 2020-10-29

Rating: Medium


[ts-dot-prop] Prototype Pollution

@ Submitted by prathis
Bug Type: None supplied

Disclosed on 2020-10-29

Rating: Medium


[zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files

@ Submitted by ryotak
Bug Type: Path Traversal

Disclosed on 2020-10-29

Rating: Low


[gfc] Command Injection via insecure command formatting

@ Submitted by d3lla
Bug Type: Command Injection - Generic

Disclosed on 2020-10-27

Rating: Critical


[http-live-simulator] Application-level DoS

@ Submitted by ryotak
Bug Type: Denial of Service

Disclosed on 2020-10-27

Rating: Medium


[nested-property] Prototype Pollution

@ Submitted by johnssimon007
Bug Type: Modification of Assumed-Immutable Data (MAID)

Disclosed on 2020-10-27

Rating: Medium


[create-git] RCE via insecure command formatting

@ Submitted by mik317
Bug Type: Code Injection

Disclosed on 2020-10-26

Rating: Critical


[json8-merge-patch] Prototype Pollution

@ Submitted by gkmr
Bug Type: Modification of Assumed-Immutable Data (MAID)

Disclosed on 2020-10-18

Rating: High


[freespace] Command Injection due to Lack of Sanitization

@ Submitted by ansuj
Bug Type: Command Injection - Generic

Disclosed on 2020-10-14

Rating: Medium


[tianma-static] Security issue with XSS.

@ Submitted by wooeong22
Bug Type: Cross-site Scripting (XSS) - Stored

Disclosed on 2020-10-12

Rating: No rating


[m-server] XSS reflected because path does not escapeHtml

@ Submitted by 0xd0ff
Bug Type: Cross-site Scripting (XSS) - Reflected

Disclosed on 2020-09-28

Rating: No rating


[gity] RCE via insecure command formatting

@ Submitted by mik317
Bug Type: Code Injection

Disclosed on 2020-09-24

Rating: Medium


[commit-msg] RCE via insecure command formatting

@ Submitted by mik317
Bug Type: Code Injection

Disclosed on 2020-09-24

Rating: Medium


[git-lib] RCE via insecure command formatting

@ Submitted by mik317
Bug Type: Code Injection

Disclosed on 2020-09-24

Rating: Medium