Cross-Site Scripting (XSS) in Verdaccio

Description

What kind of vulnerability is it? Who is impacted?

Cross-Site Scripting XSS, malicious packages with content Javascript that might be executed in the User Interface stealing user credentials.

Recommendation

Update the verdaccio package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.12.0
• Patched version(s): 3.12.0

References

• GHSA-78j5-gcmf-vqc8
• www.npmjs.com
• CVE-2019-14772
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
• SQL Injection and Cross-site Scripting in class-validator - CVE-2019-18413
• VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability - CVE-2024-29271
• Cross-site scripting (XSS) in the clipboard package - CVE-2024-45613

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

verdaccio