The Node.js Secure Coding Blog

An Introduction to SSRF Bypasses and Denylist Failures
Getting hands-on with SSRF bypasses and the pitfalls of denylists.
Mar 5, 2025 ~ 3 min read
nodejs
security
ssrf
Disclosing a Command Injection Vulnerability in `git-checkout-tool`
Ever wondered how interactive CLI prompts can be a security disaster? Here's the case of git-checkout-tool and a command injection vulnerability.
Mar 2, 2025 ~ 3 min read
nodejs
git
command injection
cve
Prisma Raw Query Leads to SQL Injection? Yes and No
Prisma is a popular type-safe ORM for Node.js but just like all abstractions, it comes at a cost and Prisma Raw Query function may lead to SQL injection if not handled correctly.
Feb 27, 2025 ~ 5 min read
nodejs
security
Flawed Git Promises Library on npm Leads to Command Injection Vulnerability
A promising Git library turns into a security nightmare when it harbors command injection vulnerabilities. Learn how to avoid these risks in your Node.js applications.
Feb 17, 2025 ~ 5 min read
nodejs
git
command injection
cve
Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App
An in-depth analysis of two critical availability vulnerabilities in the parse-duration npm package, showing how regex patterns can lead to event loop delays and memory crashes in Node.js applications.
Feb 13, 2025 ~ 5 min read
parse-duration
redos
denial of service
vulnerability
How I found an XSS in the Nuxt MDC Library for Markdown Content
Are you using the Nuxt MDC library to render LLM generated content in your Nuxt.js apps? You want to read this article to understand how I came to find a Cross-site Scripting vulnerability identified today as CVE-2025-24981
Feb 11, 2025 ~ 7 min read
nuxt
xss
vulnerability
cve

Newer posts

Older posts