Top issues
Detected presence of severe vulnerabilities with active exploitation.
Causes risk: actively exploited vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known severe vulnerabilities. Available threat intelligence telemetry has confirmed that the reported high or critical severity vulnerabilities are actively being exploited by malicious actors.Prevalence in npm community
34 packages
found in
Top 100
152 packages
found in
Top 1k
1955 packages
found in
Top 10k
777714 packages
in community
Next steps
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of critical severity vulnerabilities.
Causes risk: critical severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as critical severity.Prevalence in npm community
9 packages
found in
Top 100
76 packages
found in
Top 1k
1295 packages
found in
Top 10k
447752 packages
in community
Next steps
Perform impact analysis for the reported CVEs.
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of high severity vulnerabilities.
Causes risk: high severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.Prevalence in npm community
32 packages
found in
Top 100
168 packages
found in
Top 1k
2061 packages
found in
Top 10k
805890 packages
in community
Next steps
Perform impact analysis for the reported CVEs.
Update the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected Linux executable files compiled without any kind of buffer overrun protection while using banned input functions.
Causes risk: misconfigured toolchains detected
hardening
Problem
Buffer overrun protection on Linux is achieved in two ways. The most common solution is to use the stack canary (also called cookie). The stack canary is a special value written onto the stack that allows the operating system to detect and terminate the program if a stack overrun occurs. In most cases, compilers will apply the stack canary conservatively in order to avoid a negative performance impact. Therefore, stack canaries are often used together with another stack overrun mitigation - fortified functions. Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, when combined with the stack canary, fortified functions provide a good measure of buffer overrun protection.Prevalence in npm community
0 packages
found in
Top 100
1 packages
found in
Top 1k
71 packages
found in
Top 10k
9294 packages
in community
Next steps
Presence of some input functions may indicate use of unsafe programming practices, and you should avoid it if possible.
In GCC, enable fortified functions with -fstack-protector and -D_FORTIFY_SOURCE=2 flag, while using at least -O1 optimization level.
Detected Linux executable files that do not implement the ASLR vulnerability mitigation protection.
Causes risk: baseline mitigations missing
hardening
Problem
ASLR (address-space layout randomization) is a mitigation technique that increases the difficulty of performing buffer-overflow attacks that require the attacker to know the address of the program in memory. This is done by loading the program at a randomly selected address in the process' address space. ASLR-enabled kernels can choose a random load address only for position-independent executables and code.Prevalence in npm community
0 packages
found in
Top 100
2 packages
found in
Top 1k
54 packages
found in
Top 10k
7567 packages
in community
Next steps
To support ASLR, the program must be compiled as position-independent code. In most compilers, this is done by passing the corresponding position-independent flag, such as -fPIC for shared libraries or -fPIE for executables.
Top behaviors
Modifies file/directory permissions.
permissions
Prevalence in npm community
Behavior often found in this community (Common)
6 packages
found in
Top 100
12 packages
found in
Top 1k
318 packages
found in
Top 10k
56078 packages
in community
Sends data on a connected TCP socket.
network
Prevalence in npm community
Behavior often found in this community (Common)
4 packages
found in
Top 100
15 packages
found in
Top 1k
272 packages
found in
Top 10k
43829 packages
in community
Permits an incoming connection on a TCP socket.
network
Prevalence in npm community
Behavior often found in this community (Common)
0 packages
found in
Top 100
2 packages
found in
Top 1k
54 packages
found in
Top 10k
7351 packages
in community
Opens a socket listening for an incoming connection.
network
Prevalence in npm community
Behavior often found in this community (Common)
0 packages
found in
Top 100
1 packages
found in
Top 1k
57 packages
found in
Top 10k
7112 packages
in community
Reads data from files containing SSL certificates installed on the system.
steal
Prevalence in npm community
Behavior uncommon for this community (Uncommon)
0 packages
found in
Top 100
0 packages
found in
Top 1k
16 packages
found in
Top 10k
1984 packages
in community
Top vulnerabilities
Vulnerability Exploitation Lifecycle
(38 Active Vulnerabilities)
35 (35 Fixable)
CVE-2024-24790c
CVE-2025-22871c
CVE-2023-29403h
3 (3 Fixable)
CVE-2023-45288h
CVE-2022-41717m
CVE-2023-29409m
None
None
Exploits Unknown
Exploits Exist
Exploited by Malware
Patching Mandated