Js Unsafe Module Inclusion
Description
Detects unsafe module inclusion patterns in Express.js applications where modules are imported using dynamic/variable paths or user input. This can lead to Remote Code Execution vulnerabilities if an attacker controls the module path being imported.
Detection Strategy
• Check if the application uses the Express.js framework
• Look for module import statements or require() calls that use dynamic/variable paths
• Verify if the import path contains user-controlled input or variables
• Report a vulnerability if an unsafe module import is found in an Express.js application
Vulnerable code example
const express = require('express');
const app = express();
app.post('/execute', async (req, res) => {
const modulePath = req.body.modulePath;
// VULNERABLE: Unsanitized user input used in dynamic import
const module = await import(modulePath);
res.send('Done');...✅ Secure code example
const express = require('express');
const app = express();
app.post('/execute', async (req, res) => {
const modulePath = req.body.modulePath;
// SECURE: Whitelist of allowed modules with their full paths
const allowedModules = {
'mailer': './modules/mailer.js',...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.