The Node.js Secure Coding Blog

Flawed Git Promises Library on npm Leads to Command Injection Vulnerability
A promising Git library turns into a security nightmare when it harbors command injection vulnerabilities. Learn how to avoid these risks in your Node.js applications.
Feb 17, 2025 ~ 5 min read
nodejs
git
command injection
cve
Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App
An in-depth analysis of two critical availability vulnerabilities in the parse-duration npm package, showing how regex patterns can lead to event loop delays and memory crashes in Node.js applications.
Feb 13, 2025 ~ 5 min read
parse-duration
redos
denial of service
vulnerability
How I found an XSS in the Nuxt MDC Library for Markdown Content
Are you using the Nuxt MDC library to render LLM generated content in your Nuxt.js apps? You want to read this article to understand how I came to find a Cross-site Scripting vulnerability identified today as CVE-2025-24981
Feb 11, 2025 ~ 7 min read
nuxt
xss
vulnerability
cve
Holes in the Safety Net: Bypassing SSRF Protection in safe-axios
Analyzing a vulnerability in safe-axios, an npm package designed to safeguard applications from SSRF attacks.
Feb 6, 2025 ~ 2 min read
nodejs
ssrf
vulnerability
cve
How to Parse URLs from Markdown to HTML Securely?
What if I told you that parsing URLs from user input, especially from Markdown content, can be a security risk? Here is how URL parsing logic an be bypassed and what you need to know to handle it in a secure way.
Jan 30, 2025 ~ 9 min read
nodejs
parsing
secure coding
markdown
url
NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages
Learn about the npm `ignore-scripts` flag and how to use it to prevent the execution of arbitrary commands from malicious npm packages.
Jan 23, 2025 ~ 7 min read
npm
ignore scripts
malicious packages

Newer posts

Older posts