management
Must read: https://astconsulting.in/java-script/nodejs/nodejs-security-vulnerabilities-and-how-to-fix
alert for high and critical vulnerability
cicd build fail for critical vulnerability alert for build failed for vulenrability
and email alert for high and critical vulnerability for project/github code
common vulnerabilities and fixes
common
package.json > axios, express
os dependencies - openssl, glibc
CVE = Common Vulnerabilities and Exposures
It’s like a universal ID card for security issues.
format: CVE-[Year]-[Number] --> CVE-2021-44228
to avoid
Injection Attacks: These occur when untrusted data is sent to an interpreter as part of a command or query. Attackers can inject malicious code, leading to data breaches, unauthorized access, or even complete system takeover. SQL injection, NoSQL injection. Command injection are common examples.
Cross-Site Scripting (XSS): XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, website defacement, or redirection to malicious sites. Stored XSS (where the malicious script is permanently stored on the server) and reflected XSS (where the malicious script is part of the request) are the primary types.
Cross-Site Request Forgery (CSRF): CSRF attacks trick users into performing actions they didn’t intend to, such as changing their email address or transferring funds. The attacker leverages the user’s authenticated session to perform these actions.
Authentication and Authorization Issues: Weak authentication schemes, predictable passwords. Improper authorization checks can grant unauthorized access to sensitive data and functionalities. This includes vulnerabilities like insecure password storage, insufficient authentication strength. Broken access control.
Denial of Service (DoS) and Distributed Denial of Service (DDoS): DoS attacks overwhelm a system with traffic, making it unavailable to legitimate users. DDoS attacks are similar. They originate from multiple sources, making them harder to mitigate. NodeJS’s single-threaded nature can make it particularly vulnerable to DoS attacks if not properly handled.
Insecure Dependencies: NodeJS projects often rely on numerous third-party modules. Vulnerabilities in these dependencies can be exploited to compromise the entire application. This highlights the importance of dependency management and security scanning.
Path Traversal: This vulnerability allows an attacker to access files and directories outside of the intended web server root directory. By manipulating file paths in requests, attackers can potentially read sensitive configuration files, source code, or even execute arbitrary code.
Got it Pavan 👍 – this is exactly how enterprises approach secure SDLC with Node.js + Docker. Let’s go step by step.
🔐 End-to-End Vulnerability Identification & Fix Process
1. Setup for Scanning
Use Snyk (or Trivy, Grype, Anchore) to scan:
package.json→ application dependenciesDockerfile→ base image & OS libraries
Run scans in CI/CD pipeline + upload results to Snyk Dashboard.
Configure alerts in GitHub Security tab + optionally Slack/Email.
2. Common Vulnerabilities in Node.js (package.json)
Some frequent CVEs that pop up in enterprise Node.js apps:
Lodash Prototype Pollution
CVE-2021-23337
High
Upgrade lodash ≥ 4.17.21
Axios SSRF (server-side request forgery)
CVE-2021-3749
High
Upgrade axios ≥ 0.21.2
Express DoS via Regex
CVE-2019-5413
Medium
Upgrade express-validator ≥ 5.3.1
Minimatch Regex DoS
CVE-2016-10540
Medium
Upgrade minimatch ≥ 3.0.2
Mongoose Prototype Pollution
CVE-2020-24389
High
Upgrade mongoose ≥ 5.9.10
Fixing Strategy:
Run
npm audit fix(automatic patching).For critical libs, bump versions manually in
package.json.Use
snyk wizardto interactively suggest upgrades.
3. Common Vulnerabilities in Docker Images (Dockerfile/Base OS)
Most Docker image vulnerabilities come from outdated base images or OS packages.
glibc buffer overflow
CVE-2021-33574
Critical
Use latest Debian/Ubuntu base image
OpenSSL NULL pointer deref
CVE-2022-0778
High
Upgrade OpenSSL, rebuild image
BusyBox Use-after-free
CVE-2022-28391
High
Upgrade BusyBox version
curl heap buffer overflow
CVE-2021-22946
High
Upgrade curl in base image
Bash command injection
CVE-2019-18276
Medium
Update bash
Fixing Strategy:
Always use minimal base images (
node:18-alpineinstead ofnode:18-buster).Rebuild images frequently (
docker build --pull).Use multi-stage builds → keep only runtime essentials.
Apply
apt-get upgrade -y(carefully) in Dockerfile for patched OS packages.
4. Enterprise Best Practices
Shift Left Security → scan code & containers at PR stage.
Dependency Pinning → use
package-lock.jsonto lock versions.Base Image Strategy → pick a trusted LTS image (e.g.,
node:18-alpine).Continuous Monitoring → let Snyk/Dependabot watch for new CVEs.
Patch Lifecycle → establish SLA (e.g., Critical → fix in 24h, High → fix in 7 days).
📊 Consolidated Table – Common Vulnerabilities & Fixes
Node.js
lodash
CVE-2021-23337
High
Upgrade ≥ 4.17.21
Node.js
axios
CVE-2021-3749
High
Upgrade ≥ 0.21.2
Node.js
express-validator
CVE-2019-5413
Medium
Upgrade ≥ 5.3.1
Node.js
minimatch
CVE-2016-10540
Medium
Upgrade ≥ 3.0.2
Node.js
mongoose
CVE-2020-24389
High
Upgrade ≥ 5.9.10
Docker
glibc
CVE-2021-33574
Critical
Update base image
Docker
OpenSSL
CVE-2022-0778
High
Upgrade OpenSSL
Docker
BusyBox
CVE-2022-28391
High
Upgrade BusyBox
Docker
curl
CVE-2021-22946
High
Upgrade curl
Docker
bash
CVE-2019-18276
Medium
Upgrade bash
✅ With this, you cover both code & infrastructure security. ✅ Enterprise clients will expect scans + reports + a remediation plan. ✅ Snyk dashboard will show you exactly which CVEs exist in both areas.
Do you want me to also create a GitHub Action workflow that runs these scans, uploads to Snyk, and generates a report artifact (like vulnerabilities-report.html) that you can send to your client?
Fixing Strategy:
Always use minimal base images (
node:18-alpineinstead ofnode:18-buster).Rebuild images frequently (
docker build --pull).Use multi-stage builds → keep only runtime essentials.
Apply
apt-get upgrade -y(carefully) in Dockerfile for patched OS packages.
4. Enterprise Best Practices
Shift Left Security → scan code & containers at PR stage.
Dependency Pinning → use
package-lock.jsonto lock versions.Base Image Strategy → pick a trusted LTS image (e.g.,
node:18-alpine).Continuous Monitoring → let Snyk/Dependabot watch for new CVEs.
Patch Lifecycle → establish SLA (e.g., Critical → fix in 24h, High → fix in 7 days).
fix vulnerability
Good one, Pavan 👍
Fixing a vulnerability in a Docker image depends on where the vulnerability comes from. Here’s the breakdown:
🔹 1. Vulnerability in Base Image (most common)
Example:
Scan result shows CVE-2021-3156 (sudo) or outdated openssl.
✅ Fix:
Upgrade to a newer base image tag:
Or use a slim/minimal base (reduces attack surface):
🔹 2. Vulnerability in OS Packages
Example: Your image installs extra tools:
Scan finds curl has a CVE.
✅ Fix:
Always upgrade packages:
Use specific patched versions if available:
Clean up apt cache to reduce risk:
🔹 3. Vulnerability in Application Dependencies (npm, pip, etc.)
If the scan shows Node.js dependency CVEs (lodash, axios, etc.):
✅ Fix in package.json
or upgrade the dependency manually:
Then rebuild the image.
🔹 4. General Best Practices
Pin versions (avoid
latest).Use multi-stage builds to reduce final image size.
Regularly update images (
docker build --no-cache).Rescan after fixes.
⚡ Example Fix Workflow
Suppose scan shows:
CVE-2021-3156 in
ubuntu:20.04(sudo vulnerability).
Fix:
Rebuild + rescan → CVE gone. ✅
👉 Do you want me to show you a before vs after Dockerfile example where I fix a real CVE (say, OpenSSL vulnerability in Alpine/Ubuntu base image)? That way you’ll have a template to apply directly.
Last updated