How to identify security vulnerabilities in Node.js packages?
The Node.js ecosystem has become a critical platform for server-side applications, yet existing security tools still miss many real world vulnerabilities. In this talk, I will present two recent projects from my group that address this gap: Graph.js (PLDI’24) and Explode.js (PLDI’25).
Graph.js is a new static analysis tool for detecting injection and prototype pollution vulnerabilities in Node.js packages. It relies on a novel abstract domain that enables a carefully calibrated balance between precision and recall on real-world code, outperforming its competitor tools in the state-of-the-art benchmarks. Explode.js is the first tool to synthesise exploits for Node.js packages that require complex, multi-step call sequences. By combining static analysis with symbolic execution, Explode.js automatically generates non-trivial exploits that would otherwise require many hours of manual effort.
Applied to a large set of popular Node.js packages in the wild, Graph.js and Explode.js uncovered 93 previously unknown vulnerabilities, of which 7 were assigned CVEs.
Mon 12 JanDisplayed time zone: Brussels, Copenhagen, Madrid, Paris change
16:00 - 17:30 | |||
16:00 22mTalk | How to identify security vulnerabilities in Node.js packages? TPSA José Fragoso Santos INESC-ID; Instituto Superior Técnico - University of Lisbon, Filipe Marques INESC-ID; Instituto Superior Técnico - University of Lisbon, André Nascimento INESC-ID; Instituto Superior Técnico - University of Lisbon | ||
16:22 22mTalk | Modeling Incorrectness and Unknown Functions with Angelic and Demonic Nondeterminism TPSA Noam Zilberstein Cornell University | ||
16:45 22mTalk | A logic for all reasons TPSA Flavio Ascari University of Konstanz, Roberto Bruni University of Pisa, Lorenzo Gazzella Università di Pisa, Roberta Gori Diaprtimento di Informatica, Universita' di Pisa, Italy | ||
17:07 22mTalk | AMPLE: Fine-grained File Access Policies for Server Applications TPSA | ||