Severity: moderate

Cross-Site Scripting



Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution.


Upgrade to version 3.12.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    May 27th, 2019
  2. reported

    Reported by Adam Baldwin
    May 1st, 2019