What is a Vulnerability
... and What’s Not?
Ulises Gascón
- SWE at NodeSource
- Express.js Technical Committee Member
- Node.js Core Collaborator and releaser
- Yeoman Core Team Member
- OpenJS Security Collaboration Space and Node.js Security WG Member
- OpenJS Cross Project Council Voting Member and TC39 Delegate
@UlisesGascon
@kom_256
@UlisesGascon
https://ulisesgascon.com
What’s is a Vulnerability?
Vulnerabilities are flaws in a computer system that weaken the overall security of the system.
― Wikipedia
Who to blame?
const query = `SELECT * FROM users WHERE name = ${data.name}';`const express = require('express')
const bodyParser = require('body-parser')
const app = express()
const port = 3000
app.post('/', bodyParser.urlencoded({
extended: true, limit: 100000000
}), (req, res) => {
res.send("Hello");
});
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})Who to blame?
const Query = `SELECT * FROM users WHERE name = ${data.name}';`const express = require('express')
const bodyParser = require('body-parser')
const app = express()
const port = 3000
app.post('/', bodyParser.urlencoded({
extended: true, limit: 100000000
}), (req, res) => {
res.send("Hello");
});
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})❌ Developer: CWE-89 'SQL Injection'
❌ Express fault: CVE-2024-45590
Impact
Patches
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. a malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Severity
High 7.5/10
CVE-2024-45590
Threat Models
What is a Threat Model?
🛡️ A threat model is a structured approach to identifying, understanding, and mitigating security risks in a system.
Key Components
- Assets 🎯 – What are we protecting? (e.g., user data, credentials, APIs)
- Threats ⚠️ – What can go wrong? (e.g., injection attacks, XSS, data leaks)
- Attackers 👤 – Who are the potential threats? (e.g., hackers, insiders, bots)
- Trust Boundaries 🚧 – What parts of the system assume security vs. untrusted input?
- Mitigations 🔐 – What defenses do we have? (e.g., authentication, encryption, validation)
Node.js Threat Model
Express Threat Model
What They Trust
- Developers & Infrastructure 👩💻🏢
- Operating System & Configuration 🖥️⚙️
- Validated Inputs ✔️
- Module & File System for Loading Code 📂
What They Do Not Trust
- Untrusted Network Data 🌐
- User Input & External Data 📝
- Third-Party Dependencies 📦
- File System Inputs 🗄️
- Arbitrary Code Execution 💀
Shared responsibility Model
Sounds familiar?
Image from NCSC
Best Practices
- Validate & sanitize input
- Enforce strong authentication & authorization
- Use security headers & protect against web attacks
- Keep dependencies updated & audit third-party packages
- Secure API communication & apply rate limiting
- Protect sessions, cookies & avoid sensitive data exposure
- Handle errors securely & log security events
- Implement security monitoring & continuous assessment
Key Takeaways
Real-World Vulnerabilities
-
Prototype Pollution Attacks 🧬
- Node.js & Express rely on developers to handle input validation.
-
Lack of Default Security Features 🛑
- Express.js does not enable security headers by default—it’s up to the user.
-
Malicious Third-Party Packages 📦
- Node.js & Express do not control what dependencies developers install.
-
Large Files Overloading Resources ⚠️
- Node.js does not limit file sizes from external sources—it trusts the developer to handle this.
Typical scenarios
Conclusion
- Not all security issues are vulnerabilities – Threat models define what is in scope.
- Developers play a key role – Many issues arise from how code is written, not the framework itself.
- Understanding threat models helps prioritize fixes – Not everything is a critical meltdown.
Resources
Dreams are extremely important. You can't do it unless you imagine it.
- George Lucas
