server-up-ndot 1.3.4 → 1.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +2 -2
  2. package/readme.md +121 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "server-up-ndot",
3
- "version": "1.3.4",
3
+ "version": "1.3.7",
4
4
  "description": "server toolkit",
5
5
  "main": "index.js",
6
6
  "bin": {
@@ -13,7 +13,7 @@
13
13
  "repository": {
14
14
  "type": "git",
15
15
  "url": "https://github.com/ppccpcpcpc-byte/server-up-ndot.git"
16
- },
16
+ },
17
17
  "dependencies": {
18
18
  "axios": "*",
19
19
  "chalk": "*",
package/readme.md CHANGED
@@ -2,8 +2,11 @@
2
2
  ## axios
3
3
  axios <=1.14.0
4
4
  Severity: **critical**
5
+
5
6
  Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
7
+
6
8
  Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
9
+
7
10
  fix available via `npm audit fix`
8
11
 
9
12
  *Pay attention to security!*
@@ -71,6 +74,15 @@ npx server-up-ndot create myserver
71
74
 
72
75
  ## 1.3.x
73
76
 
77
+ ### 1.3.7
78
+ - There was a problem with the environment :( rollbacked.
79
+
80
+ ### 1.3.6
81
+ ~ use a CI ~
82
+
83
+ ### 1.3.5
84
+ - sicu report updated
85
+
74
86
  ### 1.3.4
75
87
  - sicu news updated
76
88
 
@@ -154,3 +166,112 @@ npx server-up-ndot build
154
166
  - Fix security issues
155
167
  - deleted package `body-parser`
156
168
  - Fix license
169
+
170
+ # 🔐 Today Security Report (Critical npm Vulnerabilities)
171
+
172
+ ## Overview
173
+ This document provides a concise security report of recently identified **critical vulnerabilities in widely used npm packages and Node.js environments**.
174
+ The focus is on high-impact issues that may lead to **Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), Denial of Service (DoS), and Supply Chain Attacks**.
175
+
176
+ ---
177
+
178
+ ## 🚨 Critical Findings
179
+
180
+ ### 1. axios (High Risk – Supply Chain + Multiple CVEs)
181
+
182
+ **Affected Versions**
183
+ - `<= 1.13.x`
184
+ - Compromised releases: `1.14.1`, `0.30.4`
185
+
186
+ **Severity**
187
+ - 🔥 CRITICAL
188
+
189
+ **Vulnerability Types**
190
+ - Server-Side Request Forgery (SSRF)
191
+ - Denial of Service (DoS)
192
+ - Prototype Pollution
193
+ - Memory Exhaustion
194
+ - Supply Chain Attack (Backdoor / RAT)
195
+
196
+ **Description**
197
+ Axios, one of the most widely used HTTP clients in Node.js, has been affected by multiple critical vulnerabilities.
198
+ Recent incidents include a **supply chain compromise**, where malicious code was injected into official package releases, enabling remote access (RAT) on affected systems.
199
+
200
+ **Impact**
201
+ - Remote attackers may gain system access
202
+ - Internal network exposure via SSRF
203
+ - Full server crash through memory exhaustion
204
+ - Execution of malicious payloads
205
+
206
+ **Recommendation**
207
+ - Upgrade to a secure version immediately (`>= 1.13.5`)
208
+ - Avoid compromised versions:
209
+ - `1.14.1`
210
+ - `0.30.4`
211
+ - Lock dependencies using `package-lock.json` or `pnpm-lock.yaml`
212
+ - Perform integrity checks on installed packages
213
+
214
+ ---
215
+
216
+ ### 2. Node.js Runtime (Critical Environment Vulnerability)
217
+
218
+ **Severity**
219
+ - 🔥 CRITICAL
220
+
221
+ **Vulnerability Type**
222
+ - Stack Overflow / Denial of Service
223
+
224
+ **Description**
225
+ A vulnerability in Node.js related to `async_hooks` can be exploited to trigger a **stack overflow**, leading to application crashes.
226
+ Since this affects the runtime itself, all applications using vulnerable versions are at risk.
227
+
228
+ **Impact**
229
+ - Application crash (DoS)
230
+ - Potential service-wide outage
231
+
232
+ **Recommendation**
233
+ - Update Node.js to the latest LTS version
234
+ - Avoid unsafe usage of `async_hooks`
235
+ - Monitor runtime-level advisories regularly
236
+
237
+ ---
238
+
239
+ ### 3. form-data (Transitive Dependency Risk)
240
+
241
+ **Severity**
242
+ - 🟠 HIGH
243
+
244
+ **Vulnerability Type**
245
+ - Predictable multipart boundary
246
+ - Request manipulation
247
+
248
+ **Description**
249
+ The `form-data` package, often used indirectly via axios, contains weaknesses in boundary generation, which may allow attackers to manipulate HTTP requests.
250
+
251
+ **Impact**
252
+ - Request tampering
253
+ - Potential injection vectors
254
+
255
+ **Recommendation**
256
+ - Update dependencies
257
+ - Audit indirect dependencies (`npm ls`)
258
+ - Use secure alternatives where possible
259
+
260
+ ---
261
+
262
+ ## 📊 Risk Prioritization
263
+
264
+ | Priority | Component | Risk Level | Notes |
265
+ |----------|------------|-----------|------------------------------|
266
+ | 1 | axios | CRITICAL | Supply chain + multiple CVEs |
267
+ | 2 | Node.js | CRITICAL | Runtime-level vulnerability |
268
+ | 3 | form-data | HIGH | Transitive dependency risk |
269
+
270
+ ---
271
+
272
+ ## 🛡️ Mitigation Strategy
273
+
274
+ ### Immediate Actions
275
+ ```bash
276
+ npm audit
277
+ npm audit fix