Recent Concerns about Node.js Security

Multithreaded JavaScript, O'Reilly 2021, is available for early access and pre-order!

There's a growing risk of maliciously crafted npm modules wreaking havoc on our Node.js applications.

I wrote a post over on my employers blog entitled The Dangers of Malicious Modules which explains a lot of these dangers. For example, did you know that a module which is loaded anywhere in your application's dependency chain can completely change the behavior of any internal Node.js API's?

In a related story, Protecting Node.js Applications from Zip Slip, I talk about a path traversal vulnerability when extracting archives containing directories with .. as their names. This can be used to clobber existing files.

There are many attack vectors against Node.js applications and over time they will only become more and more of a lucrative target.

Thomas Hunter II Avatar

Thomas has contributed to dozens of enterprise Node.js services and has worked for a company dedicated to securing Node.js. He has spoken at several conferences on Node.js and JavaScript, is an O'Reilly published author, and is an organizer of NodeSchool SF.