Written by Pete Corey on Oct 13, 2015.

This past month was a good month for Package Scan.

Not only did I release the Package Scan Web Tool, but the project also saw its first community contributions! Evolross and Charles Watson both found vulnerable packages in the wild and added alerts to Package Scan.


Charles found an issue with older versions of babrahams:editable-json (<= 0.5.1) that allows for any user to run arbitrary updates on any document in any collection. This means that a user could potentially run an update on their own user document to give themselves administrator permissions:

Meteor.call("editableJSON_update", "users", Meteor.userId(), {
  $set: {
    roles: ["admin"]
  }
});

Evolross reported an ongoing issue with the current version of cfs:standard-packages. Exceptions in your transformWrite callbacks can trigger repeated server crashes as CollectionFS attempts to transform the file on each server restart. These exceptions can easily be triggered by users uploading files of unexpected types that blow up when passed into gm. Using this bug, an attacker could easily orchestrate a Denial of Service attack against your application.

Because of the ubiquity of CollectionFS (57,000 app installs on Atmosphere), and because this setup is explicitly described in the documentation, I felt this warranted a Package Scan alert.

Take a look at the Github issue and another related issue with a helpful work-around.


If you find a vulnerable Meteor package in the wild, submit an alert to help the community!

Also be sure to add east5th:package-scan to your Meteor project, or use the drag & drop web tool to stay up to date on the latest Meteor security alerts.

meteor add east5th:package-scan