Data ⚑ Medium severity

Null Dereference After Optional Chain

After optional chaining (`?.`) returns undefined, the code tries to call a method on it, throwing TypeError.

📖 What is this?

After using optional chaining (`?.`) to safely access a potentially-null property, the code immediately tries to call a method on it without checking the result. Since `?.` returns `undefined` (not an error) when the chain breaks, the subsequent `.map()`, `.filter()`, `.split()` etc. throws `TypeError: Cannot read property ‘x’ of undefined`. This is the most common runtime error in JavaScript and often surfaces after API changes or schema migrations.

🔴 Vulnerable Code

❌ Vulnerable

// VULNERABLE
const items = data.items; // could be undefined if API response changed
const names = items.map(item => item.name); // TypeError if items is undefined

🟢 Fixed Code

✓ Fixed

// FIXED — optional chaining throughout the chain
const names = data.items?.map(item => item.name) ?? [];

⚡ Real-World Incident

🔗

CVE / Real Incident

CVE-2024-27983 (null dereference in Node.js HTTP parser)

Null pointer dereference CVEs in Node.js: CVE-2024-27983 (null dereference causing DoS in Node.js HTTP parser), CVE-2020-1971 (OpenSSL GENERAL_NAME_cmp null dereference causing DoS). The OWASP CWE-476 classification covers this class of vulnerability.

🔍 How PullLight Catches It

PullLight flags code where optional chaining (`?.`) is used on an intermediate property but the final access isn’t guarded. It detects when `.map()`, `.filter()`, `.reduce()`, `.forEach()`, `.split()`, or method calls follow an unguarded property access on a nullable context, especially around API response handling and config parsing.

See it in action — paste a diff into /analyze

Try a vulnerable example: pool.query(`SELECT * FROM users WHERE id = ${req.params.id}`)

Analyze a diff →

🔗 Related Patterns

📚 More Patterns