Js Unsafe Require Module Inclusion
Description
Detects unsafe dynamic module imports in Express.js applications that could lead to remote code execution vulnerabilities. When variables or user-controlled input is used in require() statements, attackers may be able to load arbitrary modules or access files outside the intended directory.
Detection Strategy
• Application must use the Express.js framework (imports 'express' module)
• Identifies require() statements that use variables or expressions rather than static strings
• Checks if the module path in require() could be influenced by external input
• Reports issues when require() arguments can be manipulated to load unintended modules
Vulnerable code example
const express = require('express');
const app = express();
app.get('/plugin', (req, res) => {
const pluginPath = req.query.name;
// VULNERABLE: Unsanitized user input passed directly to require()
const plugin = require(pluginPath);
plugin.run();...✅ Secure code example
const express = require('express');
const app = express();
app.get('/plugin', (req, res) => {
const pluginName = req.query.name;
// SECURE: Whitelist of allowed plugins prevents arbitrary file inclusion
const allowedPlugins = {
'auth': './plugins/auth.js',...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.