Homepage
Snyk Security Dog Illustration

Snyk Security Database

The leading database for open source vulnerabilities and cloud misconfigurations

Explore packages and vulnerabilities by …

Application

npmMavenpipNuGetcocoapodsComposerGo logoGoRubyGemsUnmanagedCargo logoCargoSwifthexpubConan logoConan

Operating system

DebianAlpine LinuxUbuntuRed Hat Enterprise LinuxCentOSAmazon Linux logoAmazon LinuxOracle Linux logoOracle LinuxRocky LinuxSuse Linux Enterprise ServerWolfiAlmaLinuxChainguard

Infrastructure as Code

AWSAzureGCPKubernetes

Vulnerabilities from the last week

XML Entity Expansion

0.0
0
10
NO KNOWN SECURITY ISSUESKEY ECOSYSTEM PROJECTHEALTHYSUSTAINABLE
Affects

fast-xml-parser >=4.1.3 <5.3.6

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

Malicious Package

0.0
0
10
Affects

bignum [0,]

bignum is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

Directory Traversal

0.0
0
10
Affects

org.webjars.npm:tar [0,]

org.webjars.npm:tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Directory Traversal via the extract() function. An attacker can read or write files outside the intended extraction directory by causing the application to extract a malicious archive containing a chain of symlinks leading to a hardlink, which bypasses path validation checks.

Recent vulnerabilities disclosed by Snyk

Snyk security
researchers
have disclosed

3466

vulnerabilities

Snyk mascot with laptop
See all Snyk disclosed vulnerabilities
Report a new vulnerability

About Snyk dependencies vulnerability database

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Snyk graduation illustration