npm vulnerabilities: reviewing the security of your dependencies

npm packages play a crucial role in modern web development. However, finding npm vulnerabilities when you install packages is… frustrating. Still, security issues in these packages can expose your applications to security risks.

So here we are, exploring three recent npm vulnerabilities reported in popular npm packages:

1. phin - Information Exposure Through Sent Data

No CVE assigned to the security report for the phin npm package but the vulnerability details are described as:

• Impact: Sensitive information disclosure during HTTP redirects.
• Affected Versions: phin versions below 3.7.1

This vulnerability exists in the phin package, used for making HTTP requests. When following redirects (followRedirects is enabled), affected versions mishandle HTTP headers, potentially exposing sensitive information in outgoing requests after a redirect.

Mitigation against this type of npm vulnerabilities:

• Upgrade phin: Update your application to use phin version 3.7.1 or later. This patched version addresses the vulnerability.
• Consider Alternatives: Explore alternative HTTP client libraries with a well-established security track record.

2. @ladle/react - Directory Traversal

CVE-2023-25341 has been assigned to the security report for the @ladle/react npm package. The vulnerability details are described as:

• Impact: Unauthorized file access on the server.
• Affected Versions: @ladle/react versions below 2.5.2

This vulnerability resides in the npm package @ladle/react, a development environment for React components. Due to improper validation of user input, attackers on the same network can exploit this vulnerability to read arbitrary files accessible to the user by crafting malicious GET requests.

Mitigation strategies for this npm package’s vulnerability:

• Upgrade @ladle/react: Update your application to use @ladle/react version 2.5.2 or later. This version includes a fix for the directory traversal vulnerability.
• Input Validation: Implement robust input validation mechanisms within your application to sanitize user-supplied data before processing.

3. pdf-image - Command Injection

No CVE assigned to the security report for the pdf-image npm package but the vulnerability details are described as:

• Impact: Arbitrary code execution on the server.
• Affected Versions: All versions of pdf-image. This is considerably alarming as there are no upgrade paths available to remediate this npm vulnerability.

The pdf-image package provides functionalities for converting PDFs to images. However, all versions are vulnerable to command injection attacks due to insufficient validation of user input passed to the PDFImage function. An attacker can exploit this to execute arbitrary commands on the server.

Mitigation proposed against command injection vulnerabilities in pdf-image:

• Avoid Untrusted Sources: Do not use pdf-image with untrusted user input or data sources.
• Sanitize Input: Sanitize all user-supplied data before using it with pdf-image functions to remove potentially malicious commands.
• Consider Alternatives: Explore alternative libraries for PDF to image conversion with a strong focus on secure coding practices.

Conclusion

Remember, regularly reviewing your package.json for outdated dependencies and applying security patches is crucial to maintain a secure development environment.

We reviewed some recent npm vulnerabilities disclosed in 2024 but also protecting against common Node.js vulnerabilities is as essential.

Consider using a vulnerability scanner like Snyk and integrating security best practices into your CI/CD pipeline to automate vulnerability detection and mitigation.