Node.js third-party modules vulnerability – Nov 2018 | Cyber security technical information

Preface:
Node.js is an open source, cross-platform built on Chrome’s JavaScript runtime for fast and scalable server-side and networking applications.

Known technical concerns:
Node.js has a set of built-in modules which you can use without any further installation.
In order to enhance the function and effectiveness, the 3rd party modules are available to operate with node.js framework. Since node.js is a runtime environment for the JavaScript-based applications. JavaScript is built into your browser software (IE, Chrome, Firefox, and Safari). JavaScript is used by HTML code to provide two-way communication between your browser and the web server without you needing to refresh the web page.
So, in certain circumstances, it is bring out the security concerns.

Known vulnerability modules:

Prototype Pollution Vulnerability in cached-path-relative Package
https://hackerone.com/reports/390847

[tianma-static] Stored xss on filename
https://hackerone.com/reports/403692

[takeapeek] Path traversal allow to expose directory and files
https://hackerone.com/reports/403736

antihackingonline.com