Vulnerabilities in NodeJS C/C++ add-on extensions

The research explores C/C++ vulnerabilities in NodeJS npm packages, specifically focusing on common security vulnerabilities and vulnerable patterns when writing C/C++ add-ons. The study aims to provide an overview of these issues and offer remediation examples for open source maintainers. The researchers used Snyk Code to model scenarios and perform a taint analysis to track potential security issues in a large set of npm packages, including those using NodeJS add-on APIs. The findings include multiple vulnerabilities in packages, primarily related to memory leaks, unchecked data types, and reachable assertions. The study highlights the importance of proper handling of C/C++ add-ons in NodeJS and provides guidance for maintainers to secure their code.