Share
## https://sploitus.com/exploit?id=14E2ED38-97CB-56EA-A549-00565918FEC9
# node-vulnerable

This repository is a **synthetic demo target** for [Endor Labs EXPOSURE](https://endorlabs.com/exposure).

- The current state is **deliberately exploitable**. EXPOSURE will report an
  exploitable verdict against it.
- Tracked CVEs:
  - `CVE-2018-21268` โ€” traceroute command injection via the `host` argument. **Exploitable** in this baseline (no input validation). No upstream fix.
  - `CVE-2018-3757` โ€” pdf-image command injection via the file-path argument. **Not exploitable** in this baseline (the `/render` route regex-validates the path before constructing `PDFImage`). No upstream fix.
- A demo PR opened by EXPOSURE swaps `src/main.js` for a hardened variant that
  adds a strict hostname regex before `traceroute.trace`, closing the
  compensating-control lane โ€” *without* upgrading the vulnerable dependency.
- The customer effort to apply the fix is **one click** (review + merge).

This repo is not a production application. It exists only to anchor the
EXPOSURE "click โ†’ real PR opens" demo against a real GitHub repository.