# Node.js Security Threats

Security vulnerabilities and detection rules for Node.js. 125 rules across 71 CWE categories.

- Total rules: 125
- CWE categories: 71
- Critical rules: 23
- High severity: 54

## Frameworks

- Express
- Fastify
- Nodejs
- Nextjs
- Koa
- Nestjs
- Hapi
- Lambda
- Serverless
- Prisma
- Trpc
- Typeorm
- Typescript
- Graphql
- All
- Next
- Angular
- Tests

## Top CWEs

- **CWE-20**: Improper Input Validation
- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-704**: Incorrect Type Conversion or Cast
- **CWE-798**: Use of Hard-coded Credentials
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-79**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- **CWE-94**: Improper Control of Generation of Code ('Code Injection')
- **CWE-285**: Improper Authorization
- **CWE-639**: Authorization Bypass Through User-Controlled Key
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-117**: Improper Output Neutralization for Logs
- **CWE-209**: Generation of Error Message Containing Sensitive Information
- **CWE-327**: Use of a Broken or Risky Cryptographic Algorithm
- **CWE-400**: Uncontrolled Resource Consumption
- **CWE-502**: Deserialization of Untrusted Data
- **CWE-601**: URL Redirection to Untrusted Site ('Open Redirect')
- **CWE-770**: Allocation of Resources Without Limits or Throttling
- **CWE-915**: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- **CWE-918**: Server-Side Request Forgery (SSRF)
- **CWE-1104**: Use of Unmaintained Third Party Components