JavaScript Security: Common Vulnerabilities and How to Fix Them

JavaScript runs in more environments than any other language—browsers, servers (Node.js), mobile apps, desktop applications, and serverless functions. Each environment exposes a different attack surface, but several vulnerability classes are universal.

The most prevalent JavaScript security vulnerabilities include:

• Cross-site scripting (XSS) (CWE-79): The dominant client-side vulnerability. DOM-based XSS through innerHTML, document.write(), and outerHTML assignments allows attackers to execute arbitrary JavaScript in a victim's browser, stealing sessions and credentials.
• Prototype pollution (CWE-1321): JavaScript's prototype chain means modifying Object.prototype affects every object in the application. Unsafe merge and deep-clone functions are the primary vector.
• Injection attacks: SQL injection through string concatenation in database queries, NoSQL injection in MongoDB queries, and command injection via child_process.exec() with unsanitized input.
• Insecure use of eval() (CWE-95): Dynamic code execution through eval(), Function(), setTimeout(string), and setInterval(string) enables code injection when processing user input.
• Supply chain attacks: The npm ecosystem's deep dependency trees create a massive attack surface. Typosquatting, dependency confusion, and compromised maintainer accounts have all been exploited.

JavaScript's dynamic typing, implicit coercion, and prototype-based inheritance create vulnerability classes that do not exist in statically typed languages.

Understanding attack mechanics helps explain why JavaScript vulnerabilities are so dangerous and why generic linters miss them.

DOM-Based XSS

Unlike reflected or stored XSS, DOM-based XSS never touches the server. The attack payload flows entirely through client-side JavaScript:

// Attacker crafts URL: https://example.com/#<img onerror=alert(1) src=x>
const hash = window.location.hash.substring(1);
document.getElementById('content').innerHTML = hash; // XSS

The payload executes in the victim's browser context with full access to cookies, localStorage, and the DOM.

Prototype Pollution

Attackers exploit unsafe object merging to inject properties into Object.prototype:

// Unsafe merge function
function merge(target, source) {
  for (const key in source) {
    if (typeof source[key] === 'object') {
      merge(target[key], source[key]);
    } else {
      target[key] = source[key];
    }
  }
}
// Attacker sends: {"__proto__": {"isAdmin": true}}
merge({}, JSON.parse(userInput));
// Now every object has obj.isAdmin === true

Command Injection in Node.js

// VULNERABLE: User input directly in shell command
const { execSync } = require('child_process');
execSync('git log --author=' + req.query.author);
// Attacker sends: author=x; rm -rf /

These attacks exploit JavaScript-specific behaviors—prototype chains, dynamic shell execution, and DOM manipulation—that require language-aware security analysis to detect.

JavaScript vulnerabilities have caused some of the largest security incidents in software history:

• British Airways (2018): Attackers injected malicious JavaScript into the BA website through a supply chain compromise, skimming 380,000 payment card details. The attack exploited cross-site scripting vectors and resulted in a $230 million GDPR fine.
• event-stream (2018): A trusted npm package with 2 million weekly downloads was compromised when a new maintainer injected code targeting a cryptocurrency wallet application. The attack was surgically targeted and went undetected for weeks.
• ua-parser-js (2021): Three malicious versions of a package with 8 million weekly downloads installed cryptominers on Linux and credential stealers on Windows. The compromised versions were live for only 4 hours but affected millions of CI/CD pipelines.
• Magecart attacks (2018-present): A family of JavaScript injection attacks targeting e-commerce payment pages. Over 2 million websites have been affected, with attackers injecting card-skimming scripts through vulnerable third-party dependencies.

The common thread is JavaScript's execution model: it runs with full access to the page or server context, and its dependency ecosystem creates deep trust chains that attackers exploit.

CodeSlick's JavaScript analyzer performs 28 security checks purpose-built for JavaScript's unique threat model:

• XSS detection: Identifies innerHTML, document.write(), outerHTML, and unsafe event handler assignments with user-controlled data.
• Prototype pollution: Detects unsafe recursive merge, deep clone, and property assignment patterns that allow __proto__ manipulation.
• Injection analysis: SQL injection, NoSQL injection, command injection via exec()/execSync(), and code injection via eval()/Function().
• Supply chain scanning: Flags 66 known malicious npm packages and checks dependencies against OSV.dev for known vulnerabilities.
• Secrets detection: 38 patterns covering AWS keys, GitHub tokens, Stripe keys, JWTs, and database connection strings.
• AI code detection: 150 signals identifying LLM-generated JavaScript including hallucinated APIs, fabricated package names, and insecure patterns from Copilot and ChatGPT.

All findings include CWE classification, CVSS 3.1 severity scoring, and OWASP Top 10:2025 mapping. AI-powered fix suggestions generate secure replacement code specific to each vulnerability context. Scan your JavaScript at /analyze in under 3 seconds.