{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,16]],"date-time":"2026-04-16T09:58:01Z","timestamp":1776333481431,"version":"3.51.2"},"reference-count":70,"publisher":"Association for Computing Machinery (ACM)","issue":"PLDI","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2025,6,10]]},"abstract":"<jats:p>The Node.js ecosystem, with its growing popularity and increasing exposure to security vulnerabilities, has a pressing need for more effective security analysis tools. To reduce false positives, recent works on detecting vulnerabilities in Node.js packages have developed synthesis algorithms to generate proof-of-concept exploits. However, these tools focus mainly on vulnerabilities that can be triggered by a single direct call to an exported function of the analyzed package, failing to generate exploits that require more complex interactions. In this paper, we present Explode.js, the first tool capable of synthesizing exploits that include complex call sequences to trigger vulnerabilities in Node.js packages. By combining static analysis and symbolic execution, Explode.js generates functional exploits that confirm the existence of command, code injection, prototype pollution, and path traversal vulnerabilities, effectively eliminating false positives. The results of evaluating Explode.js on two state-of-the-art datasets of Node.js packages with confirmed vulnerabilities show that it generates significantly more exploits than its main competitor tools. Furthermore, when applied to real-world Node.js packages, Explode.js uncovered 44 zero-day vulnerabilities, with 4 new CVEs.<\/jats:p>","DOI":"10.1145\/3729304","type":"journal-article","created":{"date-parts":[[2025,6,13]],"date-time":"2025-06-13T16:02:27Z","timestamp":1749830547000},"page":"1341-1366","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Automated Exploit Generation for Node.js Packages"],"prefix":"10.1145","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2555-5382","authenticated-orcid":false,"given":"Filipe","family":"Marques","sequence":"first","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5307-4279","authenticated-orcid":false,"given":"Mafalda","family":"Ferreira","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-0043-3613","authenticated-orcid":false,"given":"Andr\u00e9","family":"Nascimento","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7191-5895","authenticated-orcid":false,"given":"Miguel E.","family":"Coimbra","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9938-0653","authenticated-orcid":false,"given":"Nuno","family":"Santos","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8160-349X","authenticated-orcid":false,"given":"Limin","family":"Jia","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5077-300X","authenticated-orcid":false,"given":"Jos\u00e9","family":"Fragoso Santos","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]}],"member":"320","published-online":{"date-parts":[[2025,6,13]]},"reference":[{"key":"e_1_2_2_1_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (SEC \u201918)","author":"Alhuzali Abeer","unstructured":"Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V. N. Venkatakrishnan. 2018. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In Proceedings of the 27th USENIX Security Symposium (SEC \u201918). USENIX Association, Baltimore, MD. 377\u2013392. isbn:978-1-939133-04-5"},{"key":"e_1_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-71209-1_12"},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10009-008-0090-1"},{"key":"e_1_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.22152\/programming-journal.org\/2025\/9\/3"},{"key":"e_1_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00083"},{"key":"e_1_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3340456"},{"key":"e_1_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3182657"},{"key":"e_1_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447852.3458718"},{"key":"e_1_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00096"},{"key":"e_1_2_2_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2023.3286301"},{"key":"e_1_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102745"},{"key":"e_1_2_2_12_1","volume-title":"Proceedings of the 29th USENIX Conference on Security Symposium (SEC\u201920)","author":"Brown Fraser","year":"2020","unstructured":"Fraser Brown, Deian Stefan, and Dawson Engler. 2020. Sys: a static\/symbolic tool for finding good bugs in good (browser) code. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC\u201920). USENIX Association, USA. 199\u2013216. isbn:978-1-939133-17-5"},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855741.1855756"},{"key":"e_1_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180445"},{"key":"e_1_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241636"},{"key":"e_1_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP57164.2023.00068"},{"key":"e_1_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.5555\/1792734.1792766"},{"key":"e_1_2_2_18_1","unstructured":"Devon Govett and Parcel contributors. 2021. Parcel \u2013 The zero configuration build tool for the web.. https:\/\/parceljs.org visited on 2024-11-11"},{"key":"e_1_2_2_19_1","unstructured":"ECMA International. 2025. ECMAScript\u00ae 2025 Language Specification. https:\/\/tc39.es\/ecma262\/ visisted on 2025-03-25"},{"key":"e_1_2_2_20_1","unstructured":"Chris Eppstein Scott Davis Miriam Suzanne Brandon Mathis and Nico Hagenburger. 2024. Compass Stylesheet Authoring Framework. https:\/\/github.com\/Compass\/compass visited on 2024-11-13"},{"key":"e_1_2_2_21_1","unstructured":"Evan Wallace. 2020. esbuild - An extremely fast bundler for the web. https:\/\/esbuild.github.io\/ visited on 2024-11-11"},{"key":"e_1_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179395"},{"key":"e_1_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3656394"},{"key":"e_1_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3385412.3386014"},{"key":"e_1_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236950.3236956"},{"key":"e_1_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3290379"},{"key":"e_1_2_2_27_1","volume-title":"HIJaX: Human Intent to Javascript XSS Generator","author":"Frempong Yaw","unstructured":"Yaw Frempong. 2022. HIJaX: Human Intent to Javascript XSS Generator. The University of North Carolina at Charlotte. http:\/\/ninercommons.charlotte.edu\/record\/2205"},{"key":"e_1_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274723"},{"key":"e_1_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236454.3236502"},{"key":"e_1_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065036"},{"key":"e_1_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2093548.2093564"},{"key":"e_1_2_2_32_1","unstructured":"Google. 2008. V8 JavaScript Engine. https:\/\/chromium.googlesource.com\/v8\/v8.git visited on 2024-11-13"},{"key":"e_1_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510228"},{"key":"e_1_2_2_34_1","first-page":"17","volume-title":"Proceedings of the 29th USENIX Security Symposium (SEC \u201920)","author":"Ispoglou Kyriakos","year":"2020","unstructured":"Kyriakos Ispoglou, Daniel Austin, Vishwath Mohan, and Mathias Payer. 2020. FuzzGen: Automatic Fuzzer Generation. In Proceedings of the 29th USENIX Security Symposium (SEC \u201920). 2271\u20132287. isbn:978-1-939133-17-5"},{"key":"e_1_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1529282.1529711"},{"key":"e_1_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179352"},{"key":"e_1_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2878020"},{"key":"e_1_2_2_38_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (SEC \u201921)","author":"Khodayari Soheil","year":"2021","unstructured":"Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals. In Proceedings of the 30th USENIX Security Symposium (SEC \u201921). USENIX Association, Boston, MA. 2525\u20132542. isbn:978-1-939133-24-3"},{"key":"e_1_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-36577-X_40"},{"key":"e_1_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635913"},{"key":"e_1_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-018-0002-y"},{"key":"e_1_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2483760.2483778"},{"key":"e_1_2_2_44_1","volume-title":"Proceedings of the 31st USENIX Security Symposium (SEC \u201922)","author":"Li Song","year":"2022","unstructured":"Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. In Proceedings of the 31st USENIX Security Symposium (SEC \u201922). USENIX Association, Boston, MA. 143\u2013160. isbn:978-1-939133-31-1"},{"key":"e_1_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3092282.3092295"},{"key":"e_1_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2946563"},{"key":"e_1_2_2_47_1","doi-asserted-by":"publisher","unstructured":"Filipe Marques Mafalda Ferreira Andr\u00e9 Nascimento Miguel E. Coimbra Nuno Santos Limin Jia and Jos\u00e9 Fragoso Santos. 2025. Automated Exploit Generation for Node.js Packages. https:\/\/doi.org\/10.5281\/zenodo.15225072 10.5281\/zenodo.15225072","DOI":"10.5281\/zenodo.15225072"},{"key":"e_1_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2022.11"},{"key":"e_1_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338933"},{"key":"e_1_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2007.37"},{"key":"e_1_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2803191"},{"key":"e_1_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"e_1_2_2_54_1","volume-title":"L\u00e9o Andr\u00e8s, Arthur Carcano, Pierre Chambart, Nuno Santos, and Jos\u00e9 Fragoso Santos.","author":"Pereira Jo\u00e3o Madeira","year":"2024","unstructured":"Jo\u00e3o Madeira Pereira, Filipe Marques, Pedro Ad\u00e3o, Hichem Rami Ait El Hara, L\u00e9o Andr\u00e8s, Arthur Carcano, Pierre Chambart, Nuno Santos, and Jos\u00e9 Fragoso Santos. 2024. Smt.ml: A Multi-Backend Frontend for SMT Solvers in OCaml. https:\/\/inria.hal.science\/hal-04761767"},{"key":"e_1_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2023.24"},{"key":"e_1_2_2_56_1","unstructured":"Ryan Dahl and OpenJS Foundation. 2009. Node.js JavaScript Runtime. https:\/\/github.com\/nodejs\/node visited on 2014-11-13"},{"key":"e_1_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2020.28"},{"key":"e_1_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2494598"},{"key":"e_1_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786830"},{"key":"e_1_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24610"},{"key":"e_1_2_2_61_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (SEC \u201918)","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In Proceedings of the 27th USENIX Security Symposium (SEC \u201918). USENIX Association, Baltimore, MD. 361\u2013376. isbn:978-1-939133-04-5"},{"key":"e_1_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"e_1_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417267"},{"key":"e_1_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"e_1_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3689733"},{"key":"e_1_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3453483.3454084"},{"key":"e_1_2_2_67_1","unstructured":"Tobias Koppers Sean Larkin Johannes Ewald Juho Veps\u00e4l\u00e4inen Kees Kluskens and Webpack contributors. 2014. Webpack Bundler. https:\/\/webpack.js.org\/ visited on 2024-11-11"},{"key":"e_1_2_2_68_1","doi-asserted-by":"publisher","unstructured":"Fish Wang and Yan Shoshitaishvili. 2017. Angr - The Next Generation of Binary Analysis. In 2017 IEEE Cybersecurity Development (SecDev \u201917). 8\u20139. https:\/\/doi.org\/10.1109\/SecDev.2017.14 10.1109\/SecDev.2017.14","DOI":"10.1109\/SecDev.2017.14"},{"key":"e_1_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.2989171"},{"key":"e_1_2_2_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729304","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T06:03:50Z","timestamp":1752645830000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3729304"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,10]]},"references-count":70,"journal-issue":{"issue":"PLDI","published-print":{"date-parts":[[2025,6,10]]}},"alternative-id":["10.1145\/3729304"],"URL":"https:\/\/doi.org\/10.1145\/3729304","relation":{},"ISSN":["2475-1421"],"issn-type":[{"value":"2475-1421","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,10]]},"assertion":[{"value":"2024-11-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-06-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}