Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jacksongl/npm-vuln-poc

Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]
https://github.com/jacksongl/npm-vuln-poc

cve javascript node-js npm proof-of-concept security vulnerabilities

Last synced: 6 days ago
JSON representation

Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]

Awesome Lists containing this project

README

        

# NPM-Vuln-PoC

This repository contains the proof-of-concepts for vulnerabilities discovered in npm packages.

**Warning:** This repo will install vulnerable npm packages and test them to demonstrate the vulnerabilities. So running this project in a **VM** (with **Linux** or **Mac OS**) is highly recommended.

To reproduce the vulnerabilities, first install the vulnerable packages:

```
npm install
```

The following vulnerable packages require a global install or root privilege:

```
sudo npm install [email protected]
sudo npm install [email protected]
sudo npm install [email protected]
```

Then, start the PoC testing script:

```
sudo ./PoC.sh
```

**Notice:** some vulnerable packages start a web server on port 80, which requires root privilege. Therefore, ```sudo``` is prefixed in the above command.

Some vulnerable packages use APIs that are deprecated in Node.js v7.1+. To reproduce those vulnerabilities, try Node.js v4.6.x or Node.js v6.x.

Versions of those vulnerable packages can be found in the [package.json](package.json) file.