Last year, during a tangent for a project, Kevin and I found a series of vulnerabilities in (combinations of) several Node.js packages that led to critical issues for our client, and most likely other users as well.

It was a lot of fun learning about all the ways that logic in Javascript code like this can break, mostly by abusing its dynamic typing and oddities like __proto__. All in all, this resulted in 6 CVEs in three different packages (Feathers.js, Sequelize and Socket.IO).

You can read the full write-up here.

  • CVE-2022-29822 - Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
  • CVE-2022-2422 - Feathers - SQL injection via attribute aliases
  • CVE-2023-22580 - Sequelize - Bad query filtering leading to SQL errors
  • CVE-2023-22579 - Sequelize - Unsafe fall-through in getWhereConditions
  • CVE-2023-22578 - Sequelize - Default support for “raw attributes” when using parentheses
  • CVE-2022-2421 - Socket.IO - Improper type validation in attachment parsing