Posted by & filed under Node.js, Security.

There’s a growing risk of maliciously crafted npm modules wreaking havoc on our Node.js applications.

I wrote a post over on my employers blog entitled The Dangers of Malicious Modules which explains a lot of these dangers. For example, did you know that a module which is loaded anywhere in your application’s dependency chain can completely change the behavior of any internal Node.js API’s?

In a related story, Protecting Node.js Applications from Zip Slip, I talk about a path traversal vulnerability when extracting archives containing directories with .. as their names. This can be used to clobber existing files.

There are many attack vectors against Node.js applications and over time they will only become more and more of a lucrative target.

Thomas Hunter II

Support Thomas on Patreon. Thomas is the author of Advanced Microservices and a prolific public speaker with a passion for reducing complex problems into simple language and diagrams. His career includes working at Fortune 50's in the Midwest, co-founding a successful startup, and everything in between.

Tags: