Overview
Versions of verdaccio
prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution.
Remediation
Upgrade to version 3.12.0 or later.
Have content suggestions? Visit npmjs.com/support.
Advisory timeline
published
Advisory PublishedMay 27th, 2019reported
Reported by Adam BaldwinMay 1st, 2019