~ 3 min read

Protecting Against Common Node.js Vulnerabilities

share this story on
Node.js applications can be vulnerable to issues like command injection, path traversal, and insecure APIs. Learn how to avoid these common Node.js security pitfalls.

As a Node.js developer, keeping your applications secure is crucial. Node applications can be vulnerable to issues like command injection, path traversal, and insecure APIs. In this post, we’ll explore some common Node.js security pitfalls and how to avoid them.

Defending Against Command Injection

Command injection is one of the most common and dangerous vulnerabilities in Node. A key way this happens is by concatenating unsanitized user input into commands executed by a child process. For example:

const { exec } = require('child_process');

const userInput = process.argv[2];
exec(`git checkout ${userInput}`);

If a malicious user provides input like ; rm -rf /, it could delete critical files. Instead, avoid concatenating user input into commands. Consider using the execFile API which only allows specifying arguments, not arbitrary commands.

The Fastify framework provides some built-in security controls like request and response schema validation that will be helpful to mitigate malicious input. That said, always be careful what input you pass directly to the OS. A schema validation is not enough to prevent command injection.

Defending Against Path Traversal

Another common issue is path traversal attacks, where a user can access files outside an expected directory.

Her’s an example of a more classic use-case of an API endpoint for serving PDF files from disk:

const express = require('express');
const fs = require('fs');

const app = express();

app.get('/users/:userId/files/:fileId', (req, res) => {

  const userId = req.params.userId;
  const fileId = req.params.fileId;

  // In real scenario, look up file path for given user and file ID combo  
  const filePath = `/users/${userId}/files/${fileId}.pdf`;

  fs.readFile(filePath, (err, fileContents) => {
    if (err) {
      return res.status(400).send('Error reading file');



Conducting Secure Code Reviews

Many vulnerabilities can be caught early by conducting peer code reviews before releasing software. When reviewing code, watch for areas where user input is incorporated without sanitization.

Analyze all external data entry points like APIs, CLI arguments, uploaded files, etc. I recommend following these 10 best practices for secure code review of Node.js code to help you get started.

Also carefully review uses of privileges like executing commands, writing files, accessing APIs, etc. Ask questions any time elevated privileges are used. Could this area be exploited? What’s the worst possible input? Code reviews catch issues proactively while code is still easy to change.

Assessing Your Node.js Security Knowledge

Continuously assess your own knowledge of Node.js application security. Do a regular security self-assessment to identify gaps in your understanding. Check that you understand all aspects of the Node.js security model like scope, sandboxing, input validation, secure API usage, etc.

For example, can you find the security issue in this code?

const fastify = require('fastify')();

fastify.get('/downloads', (req, res) => {

  const userFile = req.query.file;

  if (userFile.includes('..') || userFile.includes('/')) {
    return res.status(400).send({error: 'Illegal directory traversal attempt'});

  const fileAbsolutePath = decodeURIComponent(`/downloads/files/${userFile}`);
  fs.readFile(fileAbsolutePath, (err, data) => {
    if (err) {
      return res.status(500).send('Error accessing file');  



If you aren’t sure about the issue or how to fix it, you want to take a look at my book Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities.

Key Vulnerable Node.js APIs to Avoid

Some Node.js APIs have security issues if used improperly. Be cautious with APIs like vm.runInContext, child_process.exec, path.join() and others. Similarly, calling OS commands, writing files, and accessing sensitive environment variables can lead to vulnerabilities if not handled carefully. Consider more secure alternatives like execFile and access controls around privileged operations.

Security must be every Node.js developer’s priority. Follow best practices around input validation, access controls, and peer code reviews. Continuously build your Node.js security knowledge through hands-on training. Making security a habit will help protect both your applications and your users.