The Node.js Secure Coding Blog

Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone

A command injection vulnerability exists for this command line tool that is available on the npmjs registry.

Command Injection vulnerability in `willitmerge@0.2.1`

A Command Injection vulnerability has been disclosed in the `willitmerge` npm package that allows attackers to execute arbitrary commands on the host system by leveraging insecure child process execution practices.

A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server

MCP Servers are increasingly popular for AI-driven workflows. However, I discovered a directory traversal vulnerability in the Mastra AI Frameworks MCP Server that could expose sensitive information. This article explores the flaw, its exploitation, and mitigation strategies.

Mastering NPX: A Cheatsheet for npm and Node.js Power Users

Explore unknown npx commands and tips to enhance your Node.js workflow. This cheatsheet covers everything from running packages without global installs to finding executable paths and using npx with specific Node versions.

Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development

How-to setup an isolated Node.js local development environment with VS Code DevContainers and 1Password to keep secrets out of your filesystem and avoid supply chain security incidents like shai-hulud, qix maintainer compromise and others.

The Tale of the Vulnerable MCP Database Server

The MCP Database Server by ExecuteAutomation had a critical vulnerability that allowed SQL injection attacks, bypassing its "read-only" mode. This article explores the flaw, its exploitation, and mitigation strategies.