JS Library Vulnerability Scanner
Find outdated JavaScript libraries with known CVEs on any public website. Detects 18 libraries (jQuery, Lodash, AngularJS, Next.js, Axios, …) against a curated CVE database — same engine as the /report section.
Detects jQuery, Lodash, AngularJS, Next.js, Axios and 14 more libraries. Matches versions against a curated CVE database.
How to Use the JS Library Scanner
- Paste the URL of the page you want to scan (e.g., https://example.com).
- Click "Scan JS Libraries". The server fetches the page, extracts every <script src>, downloads each script (up to 30, capped at 10 MB total), and fingerprints the library + version.
- Detected libraries appear with their version. Libraries with known CVEs are flagged in red.
- The CVE table lists every finding grouped by severity, with direct links to NVD for full details and the version that fixes the issue.
- Click any CVE to open the NVD page — share the exact identifier with your team for remediation tickets.
How the Scanner Works
The scanner uses the same engine as our browser extension: a curated database of 18 popular JavaScript libraries with CVE-mapped version ranges. For each library, we know the exact versions affected by each CVE — not a simple 'below X' but true range matching (e.g., Next.js CVE-2025-29927 affects 13.0.0 <= v < 14.2.25 AND 15.0.0 <= v < 15.2.3 simultaneously, which naive scanners miss). Detection uses two strategies: URL regex and body regex. URL regex catches standard CDN-served builds (jquery-3.6.0.min.js, lodash-4.17.21.js). Body regex catches bundled or renamed scripts by looking for the library's version marker inside the minified code (/*! jQuery v3.6.0 */, moment.version = '2.29.4', DOMPurify.version = '3.0.9'). This hybrid approach handles ~95% of real-world deployments including CDN-hosted libraries, Webpack bundles, and Next.js chunks (__NEXT_DATA__ parsing). The CVE database is synced with the SecLens browser extension (open source). It covers the most-exploited JS CVEs of the past decade: jQuery XSS (CVE-2020-11022/11023), Lodash prototype pollution (CVE-2019-10744, CVE-2021-23337), AngularJS EOL (Dec 2021), Moment.js path traversal (CVE-2022-24785), Handlebars RCE (CVE-2019-20920, CVE-2021-23369), and the recent Next.js middleware auth bypass (CVE-2025-29927, CVSS 9.1 critical — affects 14.x and 15.x through March 2025).
Frequently Asked Questions
Four common reasons: (1) The library is bundled into a webpack chunk and its name/version markers were stripped by terser. This is invisible without the source map. (2) The library isn't in our 18-lib database (we prioritize the most-CVE-prone libs). (3) The page uses ES modules that our regex doesn't recognize yet. (4) The script is loaded dynamically after our single fetch completes. For SPAs, the Wayback miner + extension combo usually catches what this tool misses.
A detected CVE means the library version matches a known-vulnerable range. Exploitability depends on HOW your code uses the library. For example, jQuery's CVE-2020-11022 (XSS via </option>) is exploitable only if you pass user input directly to .html() with untrusted strings. The CVE description in the tool plus the NVD link tell you the attack surface. If you're on a shared CDN and can't update, apply input sanitization (DOMPurify) at the call sites.
No — our server fetches the page from the public internet. If you want to scan an internal app, install the SecLens browser extension: it runs entirely in your browser and can scan any site you're logged into, including authenticated routes, internal tools, and staging environments.
Modern SPAs tree-shake aggressively and bundle everything into a handful of opaque chunks. Lodash helpers often survive by name; React's runtime exposes window.React.version; Angular leaves ng-version attributes. But hundreds of smaller libraries get mangled beyond recognition. If you control the build, enable source maps in production (with a .htaccess restriction on .map files) — it makes library scanning dramatically more reliable.