Well, skimming the vulnerabilities [1] didn't really see anything too interesting. Consider this "eval_remote" vulnerability:<p><pre><code> var e = require("express");
var DVNA = e();
DVNA.get('/', function(req, res) {
var res = eval("("+req.query.e+")");
res.send('Parameter eval():<br> ' + res);
});
DVNA.listen(6666);
</code></pre>
Yes, if you eval your requests that is a vulnerability, but it is a trivial one. I was expecting some side-channel esoteric stuff that, reading the code, you wouldn't necessarily see the problem.<p>1 - <a href="https://github.com/quantumfoam/DVNA/tree/master/vulnerabilities" rel="nofollow">https://github.com/quantumfoam/DVNA/tree/master/vulnerabilit...</a>