// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
critical # deserialization JavaScript CVE-2025-55182
RCE via Unvalidated RSC Deserialization
Attacker-controlled React Server Component payload reaches eval()-like deserializer with no validation — full RCE on any server running react2shell.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
const component = deserializeRSC(req.body.payload);
render(component);
After (fixed)
// AFTER (fixed)
const validated = validateRSCPayload(req.body.payload);
if (!validated) throw new Error('Untrusted RSC payload');
const component = deserializeRSC(validated);
render(component);
CVSS 10 CWE-502 Nov 2025 View walkthrough →
critical # deserialization JavaScript CVE-2026-44005
Prototype Pollution / Sandbox Escape in vm2
vm2's object-bridge between guest and host pollutes Object.prototype via __proto__ in certain assignment patterns — attacker escapes the sandbox and gains access to the host Node.js process.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
// Guest code can reach host prototype chain
const obj = vm.run('({__proto__: {polluted: true}})');
After (fixed)
// AFTER (fixed)
// Proxy handler blocks __proto__ assignment at bridge level.
if (key === '__proto__') return false;
CVSS 10 CWE-1321 May 2026 View walkthrough →
critical # rce JavaScript CVE-2025-31488
RCE via eval() on Unsanitized Auth Metadata
winston-auth's log formatter calls eval() on a metadata field that can be shaped by auth context — attacker injects JS payload via a crafted authentication header.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
const meta = req.auth?.meta || '{}';
const parsed = eval('(' + meta + ')'); // user-controlled!
logger.info('auth', parsed);
After (fixed)
// AFTER (fixed)
const parsed = JSON.parse(req.auth?.meta || '{}');
logger.info('auth', parsed);
CVSS 9.8 CWE-94 Apr 2025 View walkthrough →
critical # injection JavaScript CVE-2025-68428
Path Traversal via Unsanitized File Write
jsPDF's file output helper concatenates user-supplied filenames directly into a filesystem path — allows arbitrary file write outside the intended directory.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
const outputPath = path.join(outputDir, userFilename);
fs.writeFileSync(outputPath, pdfBuffer);
After (fixed)
// AFTER (fixed)
const safe = path.basename(userFilename);
const outputPath = path.join(outputDir, safe);
fs.writeFileSync(outputPath, pdfBuffer);
CVSS 9.2 CWE-22 Sep 2025 View walkthrough →
critical # rce JavaScript CVE-2024-21534
Sandbox Escape via unsafe vm.compile
jsonpath-plus passes attacker-controlled expressions to Node.js's vm module via a code path that bypasses the safe-eval flag — full sandbox escape to host process.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
const result = vm.runInNewContext(expr, sandbox);
After (fixed)
// AFTER (fixed)
// Validate expr against safe-path allowlist before eval.
if (!isSafeExpression(expr)) throw new Error('Unsafe expression');
const result = vm.runInNewContext(expr, sandbox);
CVSS 9 CWE-94 Oct 2024 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →