greprules.io
Sign inSubmit rule
IndexedVerified

Node.js Security

Node.js, Express, and Electron SAST rules aggregated across verified providers.

Fetch pack

greprules pack fetch nodejs-security --engine opengrep
curl https://api.greprules.io/api/packs/nodejs-security.tar.gz -o nodejs-security.tar.gz
Total rules
52
Downloads
1
Last updated
2026-06-05
Languages
javascripttypescript

Included rules

CVE-2025-11149: Unhandled Fs Sync Exception Doscve-2025-11149-unhandled-fs-sync-exception-dosCVE-2025-11362: Infinite Redirect Recursioncve-2025-11362-infinite-redirect-recursionCVE-2025-13033: Nodemailer Quoted Address Bypasscve-2025-13033-nodemailer-quoted-address-bypassCVE-2025-53355: Exec Command Injectioncve-2025-53355-exec-command-injectionCVE-2026-0622: Insecure Jwt Secret Env Fallbackcve-2026-0622-insecure-jwt-secret-env-fallbackCVE-2026-2265: Dynamic Global Instantiation Or Invocationcve-2026-2265-dynamic-global-instantiation-or-invocationCVE-2026-32094: Shescape Missing Bracket Glob Escapecve-2026-32094-shescape-missing-bracket-glob-escapeCVE-2026-41885: Custom Regex Interpolation Unvalidatedcve-2026-41885-custom-regex-interpolation-unvalidatedCVE-2019-10742: Nodejs Stream Data Handler Reject Without Destroycve-2019-10742-nodejs-stream-data-handler-reject-without-destroyCVE-2024-28195: Missing Samesite On Express Cookiecve-2024-28195-missing-samesite-on-express-cookieCVE-2024-3025: Nodejs Path Join Unnormalized Filename Traversalcve-2024-3025-nodejs-path-join-unnormalized-filename-traversalCVE-2024-39943: Nodejs Child Process Exec Template Literal Injectioncve-2024-39943-nodejs-child-process-exec-template-literal-injectionCVE-2024-57190: Express Trusted User Header Forwarded Without Stripping Incomingcve-2024-57190-express-trusted-user-header-forwarded-without-stripping-incomingCVE-2025-11202: Nodejs Child Process Exec Template Literal Injectioncve-2025-11202-nodejs-child-process-exec-template-literal-injectionCVE-2025-15061: Nodejs Exec Template Literal Command Injectioncve-2025-15061-nodejs-exec-template-literal-command-injectionCVE-2025-49141: Haxcms Command Injection Git Set Remotecve-2025-49141-haxcms-command-injection-git-set-remoteCVE-2025-54063: Insecure Path Sanitization Forward Slashcve-2025-54063-insecure-path-sanitization-forward-slashCVE-2025-59046: Nodejs Child Process Exec Template Literal Injectioncve-2025-59046-nodejs-child-process-exec-template-literal-injectionCVE-2025-59304: Multer Original Name Path Traversalcve-2025-59304-multer-original-name-path-traversalCVE-2025-61140: Jsonpath Prototype Pollution Cve 2025 61140cve-2025-61140-jsonpath-prototype-pollution-cve-2025-61140CVE-2025-69971: Hardcoded Jwt Secretcve-2025-69971-hardcoded-jwt-secretCVE-2025-69981: Express File Upload Missing Auth Middlewarecve-2025-69981-express-file-upload-missing-auth-middlewareCVE-2025-69983: Nodejs Naive Path Traversal Sanitizationcve-2025-69983-nodejs-naive-path-traversal-sanitizationCVE-2026-21854: Js Auth Bracket Lookup Loose Equalitycve-2026-21854-js-auth-bracket-lookup-loose-equalityCVE-2026-23744: Hono Node Server Bound To All Interfacescve-2026-23744-hono-node-server-bound-to-all-interfacesCVE-2026-24781: Vm2 Proxy Handler Missing Construction Tokencve-2026-24781-vm2-proxy-handler-missing-construction-tokenCVE-2026-25639: Javascript Recursive Merge Prototype Pollutioncve-2026-25639-javascript-recursive-merge-prototype-pollutionCVE-2026-25803: Bcrypt Hash With Hardcoded Password Literalcve-2026-25803-bcrypt-hash-with-hardcoded-password-literalCVE-2026-25938: Express Auth Bypass Via Referer Headercve-2026-25938-express-auth-bypass-via-referer-headerCVE-2026-26021: Prototype Pollution Via Includes Guardcve-2026-26021-prototype-pollution-via-includes-guardCVE-2026-26830: Nodejs Child Process Exec Util Format Command Injectioncve-2026-26830-nodejs-child-process-exec-util-format-command-injectionCVE-2026-26831: Textract Cve 2026 26831 Shell Injection Incomplete Path Escapecve-2026-26831-textract-cve-2026-26831-shell-injection-incomplete-path-escapeCVE-2026-26833: Nodejs Child Process Exec String Concatcve-2026-26833-nodejs-child-process-exec-string-concatCVE-2026-26974: Fast Glob Unanchored Recursive Glob Rcecve-2026-26974-fast-glob-unanchored-recursive-glob-rceCVE-2026-27971: Js Require Dynamic Module And Symbol From Inputcve-2026-27971-js-require-dynamic-module-and-symbol-from-inputCVE-2026-31975: Shell Command Injection Via Cd Template Literalcve-2026-31975-shell-command-injection-via-cd-template-literalCVE-2026-32304: Js Function Constructor Non Literal Bodycve-2026-32304-js-function-constructor-non-literal-bodyCVE-2026-33877: Password Reset Timing Side Channel User Enumerationcve-2026-33877-password-reset-timing-side-channel-user-enumerationCVE-2026-33890: Ts Admin Auth Gated On Loginrequired Config Flagcve-2026-33890-ts-admin-auth-gated-on-loginrequired-config-flagCVE-2026-33979: Sanitizer Config Ignored Empty Arraycve-2026-33979-sanitizer-config-ignored-empty-arrayCVE-2026-33994: Js Prototype Pollution Regex Test Guardcve-2026-33994-js-prototype-pollution-regex-test-guardCVE-2026-40073: Unvalidated Content Length Limit Bypasscve-2026-40073-unvalidated-content-length-limit-bypassCVE-2026-41167: Js Node Postgres Template Literal Sql Injectioncve-2026-41167-js-node-postgres-template-literal-sql-injectionCVE-2026-41242: Protobufjs Type Constructor Unsanitized Name Code Injectioncve-2026-41242-protobufjs-type-constructor-unsanitized-name-code-injectionCVE-2026-41500: Command Injection Exec Unsanitized Jsoncve-2026-41500-command-injection-exec-unsanitized-jsonCVE-2026-43940: Ai Schema Authtype Missing Profile Constraintcve-2026-43940-ai-schema-authtype-missing-profile-constraintCVE-2026-44313: Ssrf Scheme Only Url Guard Before Server Fetchcve-2026-44313-ssrf-scheme-only-url-guard-before-server-fetchCVE-2026-47139: Bypass Node Internal Modules Filtercve-2026-47139-bypass-node-internal-modules-filterCVE-2026-47140: Node Module Denylist Bypasscve-2026-47140-node-module-denylist-bypassCVE-2026-6057: Nodejs Formdata File Name Path Traversalcve-2026-6057-nodejs-formdata-file-name-path-traversalCVE-2026-6270: Fastify Express Middleware Double Prefix Auth Bypasscve-2026-6270-fastify-express-middleware-double-prefix-auth-bypassCVE-2026-8723: Qs Stringify Comma MaybeMap Unguarded Encodercve-2026-8723-qs-stringify-comma-maybemap-unguarded-encoder