Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jacksongl/npm-vuln-poc
Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]
https://github.com/jacksongl/npm-vuln-poc
cve javascript node-js npm proof-of-concept security vulnerabilities
Last synced: 6 days ago
JSON representation
Vulnerabilities discovered in npm packages [Berkeley PL & Security Research]
- Host: GitHub
- URL: https://github.com/jacksongl/npm-vuln-poc
- Owner: JacksonGL
- License: bsd-3-clause
- Created: 2017-04-17T20:35:12.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2024-06-22T13:37:14.000Z (6 months ago)
- Last Synced: 2024-12-10T07:21:22.838Z (15 days ago)
- Topics: cve, javascript, node-js, npm, proof-of-concept, security, vulnerabilities
- Language: Shell
- Homepage:
- Size: 260 KB
- Stars: 43
- Watchers: 6
- Forks: 12
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: license.md
Awesome Lists containing this project
README
# NPM-Vuln-PoC
This repository contains the proof-of-concepts for vulnerabilities discovered in npm packages.
**Warning:** This repo will install vulnerable npm packages and test them to demonstrate the vulnerabilities. So running this project in a **VM** (with **Linux** or **Mac OS**) is highly recommended.
To reproduce the vulnerabilities, first install the vulnerable packages:
```
npm install
```The following vulnerable packages require a global install or root privilege:
```
sudo npm install [email protected]
sudo npm install [email protected]
sudo npm install [email protected]
```Then, start the PoC testing script:
```
sudo ./PoC.sh
```**Notice:** some vulnerable packages start a web server on port 80, which requires root privilege. Therefore, ```sudo``` is prefixed in the above command.
Some vulnerable packages use APIs that are deprecated in Node.js v7.1+. To reproduce those vulnerabilities, try Node.js v4.6.x or Node.js v6.x.
Versions of those vulnerable packages can be found in the [package.json](package.json) file.