This is a serious issue that allows an attacker to execute arbitrary code on the host user’s browser. Before upgrading to npm@6.3.14, ensure you have blocked all types of cross-site scripting in your project. To do this, you can either use the X-XSS-Protection header in your HTTP requests, or you can use the Content-Security-Policy header to specify what kind of content you will allow. For example, you can set these headers in your requests to prevent script injections: X-XSS-Protection: 1; mode=block X-Content-Security-Policy: script-src 'self' 'nonce' 'nonce'; report-uri https://npm.hackerone.com/Report

CVE-2022-0438

This is a serious issue that allows an attacker to execute arbitrary code on the host user’s browser. Before upgrading to npm@5.6.0, ensure you have blocked all types of cross-site scripting in your project. To do this, you can either use the X-XSS-Protection header in your HTTP requests, or you can use the Content-Security-Policy header to specify what kind of content you will allow. For example, you can set these headers in your requests to prevent script injections: X-XSS-Protection: 1; mode=block X-Content-Security-Policy: script-src 'self' 'nonce' 'nonce'; report-uri https://npm.hackerone.com/Report

Timeline

Published on: 02/05/2022 02:15:00 UTC
Last modified on: 02/10/2022 13:59:00 UTC

References