New Relic Node.js security agent

Note: The IAST capability should only be used in pre-production environments as the application is tested for real exploitable vulnerabilities.

The New Relic security agent enables instrumentation of a Node.js application for Interactive Application Security Testing(IAST) and exposes exploitable vulnerabilities.

Installation

Typically, most users use the version auto-installed by the New Relic Node.js agent. You can see agent install instructions here.

In some cases, installing a specific version is ideal. For example, new features or major changes might be released via a major version update to this module, prior to inclusion in the main New Relic Node.js Agent.

npm install @newrelic/security-agent@latest

For more information, please see New Relic Node.js agent installation guide

The @newrelic/security-agent must be explicitly enabled in order to perform IAST analysis of the application. In the newrelic.js, set the following parameters

 /**
  * Security Configurations
  */
   security: {
    /**
     * enables/disables security agent functions and generation of events.
     */
    enabled: true,
    /**
      * To completely disable security, set agent.enabled flag to false. If the flag is set to false, the security module is not loaded. This property is read only once at application start.
      */
    agent: {
      enabled: true
    }
  }

Getting Started

The Developer docs for writing instrumentation will be of help. We particularly recommend the tutorials and the shim API documentation.

Supported Node.js Versions

• Node version 18.x, 20.x and 22.x

Supported Modules

• Node.js core modules
  • http
  • https
  • fs
  • child_process
  • vm
• mysql(2.16.x and above)
• mysql2 (2.x and above)
• pg(7.x and above)
• mongodb(2.x, 3.x and 4.x)
• express(4.x and above)
• @koa/router (9.x and above)
• koa-router(9.x and above)
• @hapi/hapi(19.x and above)
• fastify(2.x, 3.x and 4.x)
• restify(8.x, 9.x, 10.x and 11.x)
• director(1.2.x)
• @nestjs/core(8.x and above)
• ldapjs(2.x and above)
• ldapts(2.x and above)
• xpath(0.0.20 and above)
• xpath.js(0.0.1 and above)
• undici(4.7.0 and above)
• next(13.4.19 and above)

For more information, please see New Relic Node.js agent compatibility and requirements.

Supported Vulnerabilities

• Remote Code Execution
• SQL Injection
• NoSQL Injection
• Stored XSS
• Reflected XSS
• Reverse Shell attack
• File Access
• SSRF
• Application Integrity Violation
• LDAP Injection
• XPath Injection

  Testing

The module includes a suite of unit and functional tests which should be used to verify that your changes don't break existing functionality.

All tests are stored in tests/ and are written using Tap with the extension .tap.js.

To run the full suite, run: npm test.

Support

New Relic hosts and moderates an online forum where you can interact with New Relic employees as well as other customers to get help and share best practices. You can find this project's topic/threads here: Add the url for the support thread here: https://forum.newrelic.com/s/

Contribute

Any feedback provided to New Relic about the New Relic security agent, including feedback provided as source code, comments, or other copyrightable or patentable material, is provided to New Relic under the terms of the New Relic Software License v1.0. If you do not provide attribution information or a copy of the license with your feedback, you waive the performance of those requirements of the New Relic Software License v1.0 with respect to New Relic. The license grant regarding any feedback is irrevocable. Keep in mind that when you submit a pull request or other feedback, you’ll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project. If you have any questions drop us an email at opensource@newrelic.com.

A note about vulnerabilities

As noted in our security policy, New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.

If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through HackerOne.

If you would like to contribute to this project, review these guidelines.

License

The New Relic security agent is licensed under the New Relic Software License v1.0. The @newrelic/security-agent also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.

v2.4.0 (2025-03-21)

Features

• Support for gRPC error reporting
• Support to detect API endpoints in next.js framework

  Miscellaneous chores

• Updated axios to v1.8.4

v2.3.2 (2025-03-11)

Bug fixes

• Updated axios to v1.8.2

  Miscellaneous chores

• Updated readme

v2.3.1 (2025-02-04)

Bug fixes

• Removed docker-cli-js dependency and updated mongodb unit test case (#283)
• Added safety check for agentModule before accessing its properties (#284)

v2.3.0 (2025-02-03)

Features

• Added Support for VM module
• IAST support for Next.js
• Support for Insecure settings i.e crypto, hash and random modules

Bug fixes

• Fix for special characters in ws header
• Fix for getting transaction in graphql instrumentation
• Fix for mongodb unit tests

Miscellaneous chores

• deps-dev: bump undici from v5.28.4 to v5.28.5
• Updated axios to v1.7.9

v2.2.0 (2024-12-18)

Features

• Support for express 5.x
• IAST support for GraphQL
• Added support for trustboundary security events

Bug fixes

• Fix for empty route in fastify

v2.1.1 (2024-11-07)

Bug fixes

• Fix for assignment to logger constant

v2.1.0 (2024-11-05)

Features

• IAST support for CI/CD
• Support for IAST schedule, delay and ignore scan categories

  Bug fixes

• Added default values for scan_schedule, scan_controllers and exclude_from_iast_scan config
• Fix for security home placeholder replacement in fuzz requests
• Handling to not resolve file path in fs module instrumentation
• Fix for batch size and condition of iast-data-request sending

  Miscellaneous chores

• Added requestURI field in http request for application-runtime-error
• Updated instrumented to get the transaction directly instead of from the active segment

v2.0.0 (2024-09-20)

⚠ BREAKING CHANGES

• Dropped support for Node.js v16
• Dropped functionality to generate snapshot file

  Features

• Support to honour proxy settings via config
• Support for secure cookie security event generation
• Report error to Error Inbox upon connection failure to Security Engine
• Support to detect application and server path
• Functionality to truncate Incoming HTTP request upto default limit
• Dropped support for Node.js v16
• Dropped functionality to generate snapshot file

  Bug fixes

• Handling for empty data in IAST fuzzing header
• Added identifiers in events
• Fix for file integrity security event generation
• Fix for missing identifiers in iast-data-request JSON

v1.5.0 (2024-08-14)

Features

• Support for Node.js v22.x

  Bug fixes

• Fix for traceId in error reporting

  Miscellaneous chores

• (deps): bumped axios from 1.6.8 to 1.7.4
• (deps-dev): bumped ws from 7.5.9 to 8.18.0

  Continuous integration

• Added Node.js v22.x to unit tests

v1.4.0 (2024-06-24)

Features

• Added support to report application's errors while IAST scanning
• Support to detect gRPC API endpoints

  Bug fixes

• Remove additional headers added by IAST client
• Fix for uncaught exception reporting

  Miscellaneous chores

• Updated package.json to bump ws from 8.14.2 to 8.17.1
• (deps-dev): bump @grpc/grpc-js from 1.9.12 to 1.10.9
• (deps-dev): bump braces from 3.0.2 to 3.0.3
• (deps): bump ws from 8.14.2 to 8.17.1

v1.3.0 (2024-05-31)

Features

• Added route field in security event for API endpoint mapping

  Bug fixes

• Fix for control commands acknowledgement in security agent
• Added assert for typeof response data in Reflected XSS validation
• Updated @grpc/grpc-js instrumentation to instrument submodules
• Handling to convert header values into string

  Miscellaneous chores

• Updated log level for critical messages
• Readme update
• (deps-dev): bump axios from 0.21.4 to 1.7.2

v1.2.0 (2024-04-12)

Features

• Added instrumentation for express framework's res.download() and res.sendFile()

  Bug fixes

• Handling to decrypt fuzz header data for IAST scanning
• Logging and snapshot file fixes

  Miscellaneous chores

• Prepend vulnerability case type with apiId
• Updated jsonVersion to v1.2.0
• Bumped undici from 5.28.3 to 5.28.4

v1.1.1 (2024-03-21)

Bug fixes

• Reverted IAST support for gRPC.

v1.1.0 (2024-03-19)

Features

• IAST support for grpc
• Functionality to report API endpoints of the application
• IAST support for undici

  Bug fixes

• Updated permissions for file/directory created by security agent

  Miscellaneous chores

• Bumped follow-redirects from v1.15.2 to v1.15.4
• Updated axios to v1.6.8
• Bumped ip from v2.0.0 to v2.0.1
• Bumped undici from 5.28.2 to v5.28.3
• Readme update

v1.0.1 (2024-02-07)

Bug fixes

• Reporting of framework in security event json

  Miscellaneous chores

• Updated software license to New Relic Software License Version 1.0
• Ability to send critical messages on successful startup of agent
• Updated Copyright headers
• Updated license in readme

v0.7.0 (2024-01-18)

Features

• Handling to exclude unsupported content types from rxss processing
• Handling to report errors/critical messages to Security Engine

  Bug fixes

• Fix for file operation event's parameter must be absolute path of file
• Fix for ReferenceError of commonUtils module

  Miscellaneous chores

• Updated log event jsonName to "critical-messages"
• Removed dependency @aws-sdk/client-lambda
• Bumped follow-redirects from v1.15.2 to v1.15.4
• Upgraded axios to v1.6.5

v0.6.0 (2024-01-03)

Features

• Added ws headers NR-CSEC-ENTITY-GUID and NR-CSEC-ENTITY-NAME
• Updated jsonVersion to 1.1.1 in security events
• Support to send important logs/errors to security engine

  Bug fixes

• Added missing protocol in http request object
• Fix for honouring probing interval from policy

  Miscellaneous chores

• Added nestjs test cases
• Additional logging for instrumented modules and methods
• Upgraded axios to v1.6.3
• Removed pinned version for axios and check-disk-space
• Update in lockfileVersion of package-lock.json
• Updated @babel/traverse, protobufjs, fast-xml-parser and @aws-sdk/credential-providers
• Updated Readme.md

v0.5.0 (2023-11-17)

Features

• IAST support for NestJS framework

  Bug Fixes

• Fixed misspelled constant in fs.open() hook
• Minor fix in applicationInfo for pod properties

  Miscellaneous chores

• Upgraded ws to v8.14.2 and updated initialization of websocket for v8.x.
• Upgraded check-disk-space to v3.4.0
• Upgraded @aws-sdk/client-lambda to v3.436.0

v0.4.0 (2023-10-27)

Features

• Added event stats for RASP, IAST and exit events in healthcheck.

  Miscellaneous chores

• Deps: Updated uuid to v9.0.1 and @aws-sdk/client-lambda to v3.405.0
• Upgraded axios to 1.6.0 to resolve CVE-2023-45857

  Continuous integration

• Removed Node.js 14.x from CI.
• Added should_skip flag to skip CI based on label.

v0.3.0 (2023-09-25)

Features

• Last leg acknowledgement in IAST scanning.

  Bug Fixes

• Fix for mysql query params in security events.
• Logging update for default log level and status file flags.
• Update in IAST batch size processing.
• Disable instrumentation when security enabled flag is set to false

  Miscellaneous Chores

• Readme update

v0.2.1 (2023-08-07)

Bug Fixes

• Pinned check-disk-space to v3.3.1 to support Node.js v14

  Miscellaneous Chores

• deps: Updated semver to v7.5.4 and @aws-sdk/client-lambda to v3.363.0

  Continuous Integration

• Add Node.js 20.x to CI

v0.2.0 (2023-07-24)

Features

• IAST data pull implementation
• Logging update

Bug Fixes

• Param fixes for mysql and file hooks.

v0.1.3

• Updated semver to v7.5.3 (Fix for CWE-1333)
• Updated request-ip, log4js, html-entities, uuid and fast-safe-stringify to latest version.
• Fix for system call event generation to avoid null parameters in event.
• Fix for id in nr-csec-tracing-data.
• WS logging update.

v0.1.2

• bump @aws-sdk/client-lambda to v3.348.0
• Minor fix in ws reconnect.

v0.1.1

• Fix in mysql instrumentation on getConnection to check if callback is wrapped
• NR-123832: Support for fire and forget vulnerability detection
• Fixes for snapshot file.
• Handling for high_security config.

  v0.1.0

• Handling to use OS specific path separator.
• Functionality to create directories in windows environment.
• IAST support for windows.
• Log file permission fix.

  v0.0.8

• Handling for IP resolving to IPV4 as Node.js v17 and above no longer re-sorts results of IP address lookups and returns them as-is.
• Third Party Notices update
• Update in publish workflow

  v0.0.7

• Updated copyright header in source files
• ReadMe update
• Minor logging update

  v0.0.6

• Updated default fuzz host to 0.0.0.0
• Handling to get custom certificate path from config instead of environment variable

v0.0.5

• Updated README file
• Init logging update
• Code refactoring
• Minor bug fixes