Node.js and Npm - A Story about One Million Libraries and Their Vulnerabilities

Cristian-Alexandru Staicu


Node.js is a server-side JavaScript platform that is continuously increasing in popularity. Several high-profile websites such as Flickr, Vice or Wordpress use it as their main development platform. In Node.js, developers heavily rely on third party libraries and frameworks, making it a unique development environment. Node Package Manager (npm) is currently the largest software repository in the world, with almost one million entries. However, there is little security screening of these libraries, and there are very few automated tools to aid the security analysts with the inspection. In this talk, we will discuss in detail two classes of security vulnerabilities which affect npm modules: code injections and regular expression denial of service (ReDoS). We show that these problems are widespread in the ecosystem and that developers are very slow to address them. Moreover, we show that vulnerabilities in npm modules affect real-world websites and thus adversaries can leverage this knowledge to attack Node.js applications. Finally, we propose an auto-sanitization solution for mitigating injection attacks in Node.js.


Cristian-Alexandru Staicu is a fifth year PhD student at TU Darmstadt, Germany, advised by Prof. Dr. Michael Pradel. His current research interest is on applying programming language techniques to security problems. In particular, he is working on finding and preventing vulnerabilities specific to server-side JavaScript programs and libraries. His research so far uncovered more than 30 previously unknown vulnerabilities in server-side libraries. The majority of them were acknowledged by the community and considered medium to high severity. Additionally, he is also interested in security and privacy of client-side code. His most recent work revealed privacy vulnerabilities in high-profile websites such as Twitter, Facebook, and Dropbox.

Time and Place

Tuesday, May 14, 4:15pm
Gates 463A