Feng Xiao

icon indicating a website link fxiao.me

icon company Georgia Tech icon location Atlanta icon location Just hack it

Results 4 issues of Feng Xiao

documentation: default settings for class-validator allows arbitrary bypass vulnerability

57 comment

With this vulnerability, an attacker can bypass any security checks enforced by class-validator. When class-validator is used to validate user-input, the attributes in the user-input object will be transformed into...

priority: high
type: documentation
flag: needs discussion

Input-validation bypass vulnerability

5 comment

We found that the input validation in routing-controllers can be bypassed. With this vulnerability, attackers can launch SQL Injection, XSS attacks by injecting malicious inputs. routing-controllers use class-validator to validate...

type: discussion
priority: high

Potential command injection vulnerability in node-qpdf

Hi, We would like to report a potential security vulnerability. The bug is introduced because the package-exported method `encrypt()` fails to sanitize its parameter `input`, which later flows into a...

Potential injection vulnerability in node-html-pdf

Hi, We would like to report a potential security vulnerability. The bug is introduced because the package-exported method `create()` fails to sanitize its parameter `options.phantomPath` and lets it flow into...