https://github.com/jacksongl/npm-vuln-poc

Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]
https://github.com/jacksongl/npm-vuln-poc

cve javascript node-js npm proof-of-concept security vulnerabilities

Last synced: 5 days ago
JSON representation

Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]

• Host: GitHub
• URL: https://github.com/jacksongl/npm-vuln-poc
• Owner: JacksonGL
• License: bsd-3-clause
• Created: 2017-04-17T20:35:12.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2024-06-22T13:37:14.000Z (5 months ago)
• Last Synced: 2024-10-03T12:35:58.040Z (about 1 month ago)
• Topics: cve, javascript, node-js, npm, proof-of-concept, security, vulnerabilities
• Language: Shell
• Homepage:
• Size: 260 KB
• Stars: 41
• Watchers: 6
• Forks: 12
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: license.md

Awesome Lists containing this project

README

        
# NPM-Vuln-PoC

This repository contains the proof-of-concepts for vulnerabilities discovered in npm packages. 

**Warning:** This repo will install vulnerable npm packages and test them to demonstrate the vulnerabilities. So running this project in a **VM** (with **Linux** or **Mac OS**) is highly recommended.

To reproduce the vulnerabilities, first install the vulnerable packages: 

```

npm install

```

The following vulnerable packages require a global install or root privilege:

```

sudo npm install [email protected]

sudo npm install [email protected]

sudo npm install [email protected]

```

Then, start the PoC testing script:

```

sudo ./PoC.sh

```

**Notice:** some vulnerable packages start a web server on port 80, which requires root privilege. Therefore, ```sudo``` is prefixed in the above command.

Some vulnerable packages use APIs that are deprecated in Node.js v7.1+. To reproduce those vulnerabilities, try Node.js v4.6.x or Node.js v6.x.

Versions of those vulnerable packages can be found in the [package.json](package.json) file.