Sample Vulnerable Node.js Repository

This is a sample Node.js repository created for testing purposes. It includes dependencies with known security vulnerabilities and some code that may trigger CodeQL alerts.

Dependencies with Known Vulnerabilities

express: 4.16.0 (has known CVEs)
lodash: 4.17.4 (has CVE-2019-10744)
minimist: 1.2.0 (has CVE-2020-7598)

Code Vulnerabilities

Command injection in /exec route
Code injection via eval in /eval route

Usage

Install dependencies: npm install
Start the server: npm start
Visit http://localhost:3000/exec?cmd=ls (dangerous!)
Visit http://localhost:3000/eval?code=1+1

Warning: This code is intentionally vulnerable. Do not use in production.

Name		Name	Last commit message	Last commit date
Latest commit History 13 Commits
.bin		.bin
.github/workflows		.github/workflows
@dabh/diagnostics		@dabh/diagnostics
@nodelib		@nodelib
@rc-component/portal		@rc-component/portal
@rushstack		@rushstack
@sequelize		@sequelize
@so-ric/colorspace		@so-ric/colorspace
@types		@types
accepts		accepts
ajv-formats		ajv-formats
ajv		ajv
ansi-regex		ansi-regex
ansis		ansis
array-flatten		array-flatten
bnf-parser		bnf-parser
body-parser		body-parser
braces		braces
bytes		bytes
classnames		classnames
color-convert		color-convert
color-name		color-name
color-string		color-string
color		color
content-disposition		content-disposition
content-type		content-type
cookie-signature		cookie-signature
cookie		cookie
dayjs		dayjs
debug		debug
denque		denque
depd		depd
destroy		destroy
dottie		dottie
ee-first		ee-first
enabled		enabled
encodeurl		encodeurl
encoding		encoding
escape-html		escape-html
etag		etag
express		express
fast-deep-equal		fast-deep-equal
fast-glob		fast-glob
fast-json-stable-stringify		fast-json-stable-stringify
fast-uri		fast-uri
fastq		fastq
fill-range		fill-range
finalhandler		finalhandler
forwarded		forwarded
fresh		fresh
fs-extra		fs-extra
function-bind		function-bind
glob-parent		glob-parent
graceful-fs		graceful-fs
has-flag		has-flag
hasown		hasown
http-errors		http-errors
iconv-lite		iconv-lite
import-lazy		import-lazy
inflection		inflection
inherits		inherits
ipaddr.js		ipaddr.js
is-core-module		is-core-module
is-extglob		is-extglob
is-glob		is-glob
is-number		is-number
is-stream		is-stream
jju		jju
json-schema-traverse		json-schema-traverse
jsonfile		jsonfile
kuler		kuler
lodash		lodash
lru-cache		lru-cache
mariadb		mariadb
marked		marked
media-typer		media-typer
merge-descriptors		merge-descriptors
merge2		merge2
methods		methods
micromatch		micromatch
mime-db		mime-db
mime-types		mime-types
mime		mime
minimist		minimist
ms		ms
negotiator		negotiator
node-fetch		node-fetch
on-finished		on-finished
opener		opener
parseurl		parseurl
path-parse		path-parse
path-to-regexp		path-to-regexp
picomatch		picomatch
proxy-addr		proxy-addr
punycode		punycode
qs		qs
queue-microtask		queue-microtask
range-parser		range-parser
raw-body		raw-body
rc-util		rc-util

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Sample Vulnerable Node.js Repository

Dependencies with Known Vulnerabilities

Code Vulnerabilities

Usage

About

Uh oh!

Releases 30

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

Sample Vulnerable Node.js Repository

Dependencies with Known Vulnerabilities

Code Vulnerabilities

Usage

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 30

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages