## https://sploitus.com/exploit?id=14E2ED38-97CB-56EA-A549-00565918FEC9
# node-vulnerable
This repository is a **synthetic demo target** for [Endor Labs EXPOSURE](https://endorlabs.com/exposure).
- The current state is **deliberately exploitable**. EXPOSURE will report an
exploitable verdict against it.
- Tracked CVEs:
- `CVE-2018-21268` โ traceroute command injection via the `host` argument. **Exploitable** in this baseline (no input validation). No upstream fix.
- `CVE-2018-3757` โ pdf-image command injection via the file-path argument. **Not exploitable** in this baseline (the `/render` route regex-validates the path before constructing `PDFImage`). No upstream fix.
- A demo PR opened by EXPOSURE swaps `src/main.js` for a hardened variant that
adds a strict hostname regex before `traceroute.trace`, closing the
compensating-control lane โ *without* upgrading the vulnerable dependency.
- The customer effort to apply the fix is **one click** (review + merge).
This repo is not a production application. It exists only to anchor the
EXPOSURE "click โ real PR opens" demo against a real GitHub repository.