Skip to content

dannyEndorTest/node-vulnerable

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

node-vulnerable

This repository is a synthetic demo target for Endor Labs EXPOSURE.

  • The current state is deliberately exploitable. EXPOSURE will report an exploitable verdict against it.
  • Tracked CVEs:
    • CVE-2018-21268 — traceroute command injection via the host argument. Exploitable in this baseline (no input validation). No upstream fix.
    • CVE-2018-3757 — pdf-image command injection via the file-path argument. Not exploitable in this baseline (the /render route regex-validates the path before constructing PDFImage). No upstream fix.
  • A demo PR opened by EXPOSURE swaps src/main.js for a hardened variant that adds a strict hostname regex before traceroute.trace, closing the compensating-control lane — without upgrading the vulnerable dependency.
  • The customer effort to apply the fix is one click (review + merge).

This repo is not a production application. It exists only to anchor the EXPOSURE "click → real PR opens" demo against a real GitHub repository.

About

Synthetic demo target for EXPOSURE — CVE-2018-21268 (traceroute) + CVE-2018-3757 (pdf-image)

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages