保護DataHogo
Security Encyclopedia/Vibecoding Patterns
mediumCWE-1104A06:2021

Outdated Dependencies with Known CVEs

npm packages or other dependencies with published security vulnerabilities (CVEs) that haven't been updated, leaving known attack vectors open in your app.

How It Works

When a CVE is published for a package, exploit code often follows within days. If your app runs an old version of `express`, `jsonwebtoken`, or even a transitive dependency, attackers can use the documented exploit directly. The Veracode 2024 report found 70% of apps had at least one vulnerable dependency.

Vulnerable Code
// BAD: package.json with vulnerable versions
{
  "dependencies": {
    "jsonwebtoken": "8.5.1",
    "express": "4.17.1",
    "node-fetch": "2.6.0"
  }
}
Secure Code
// GOOD: run these commands regularly
// npm audit — shows known CVEs
// npm audit fix — auto-fixes non-breaking updates
// npx npm-check-updates -u — bumps all to latest
// Then: npm install && run your tests

Real-World Example

The Log4Shell vulnerability (CVE-2021-44228) hit organizations that hadn't updated log4j in years. Companies scrambled over the holiday season to patch a library buried 5 levels deep in their dependency tree.

How to Prevent It

  • Run npm audit as part of your CI pipeline and fail builds on high/critical CVEs
  • Use Dependabot or Renovate to automate dependency update PRs
  • Pin to exact versions in production and use a lockfile (package-lock.json)
  • Subscribe to security advisories for your critical dependencies

Affected Technologies

nodejsNext.jsReactPythonGoPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Hardcoded API Keys

critical

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

CWE-798A02:2021

No Input Validation

medium

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

CWE-20A03:2021

Passwords Stored in Plaintext

critical

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

CWE-256A02:2021

JWT Without Expiration

high

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

CWE-613A07:2021