This project forked from owasp/nodegoat
The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
Home Page: https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project
License: Apache License 2.0
Vulnerable Library - body-parser-1.18.3.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (body-parser version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-24999 |  High |
7.5 | qs-6.5.2.tgz | Transitive | 1.19.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-24999A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in base branch: master
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (body-parser): 1.19.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - forever-2.0.0.tgzPath to dependency file: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (forever version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2019-10747 |  High |
9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2019-10746 | High |
9.8 | mixin-deep-1.3.1.tgz | Transitive | N/A* | ❌ |
| CVE-2021-44906 | High |
9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2020-7788 | High |
9.8 | ini-1.3.5.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23440 | High |
9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2020-7774 | High |
9.8 | y18n-3.2.1.tgz | Transitive | N/A* | ❌ |
| CVE-2021-37712 | High |
8.6 | tar-4.4.8.tgz | Transitive | N/A* | ❌ |
| CVE-2021-37701 | High |
8.6 | tar-4.4.8.tgz | Transitive | N/A* | ❌ |
| CVE-2021-37713 | High |
8.6 | tar-4.4.8.tgz | Transitive | N/A* | ❌ |
| CVE-2021-32804 | High |
8.1 | tar-4.4.8.tgz | Transitive | N/A* | ❌ |
| CVE-2021-32803 | High |
8.1 | tar-4.4.8.tgz | Transitive | N/A* | ❌ |
| CVE-2019-20149 | High |
7.5 | kind-of-6.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2020-28469 | High |
7.5 | glob-parent-3.1.0.tgz | Transitive | N/A* | ❌ |
| WS-2018-0148 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-21803 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-38900 | High |
7.5 | decode-uri-component-0.2.0.tgz | Transitive | N/A* | ❌ |
| CVE-2021-3820 | High |
7.5 | i-0.3.6.tgz | Transitive | N/A* | ❌ |
| CVE-2020-7598 |  Medium |
5.6 | detected in multiple dependencies | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2019-10747
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: master
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-10-29
Fix Resolution: 2.0.1,3.0.1
CVE-2019-10746Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in base branch: master
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution: 1.3.2,2.0.1
CVE-2021-44906
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prettyjson/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution: minimist - 1.2.6
CVE-2020-7788An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Dependency Hierarchy:
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
CVE-2021-23440
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
Base Score Metrics:
Type: Upgrade version
Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
Release Date: 2021-09-12
Fix Resolution: set-value - 2.0.1,4.0.1
CVE-2020-7774the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
Found in base branch: master
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
CVE-2021-37712tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.
Publish Date: 2021-08-31
URL: CVE-2021-37712
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qq89-hq3f-393p
Release Date: 2021-08-31
Fix Resolution: tar - 4.4.18,5.0.10,6.1.9
CVE-2021-37701tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
Publish Date: 2021-08-31
URL: CVE-2021-37701
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9r2w-394v-53qc
Release Date: 2021-08-31
Fix Resolution: tar - 4.4.16,5.0.8,6.1.7
CVE-2021-37713tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Publish Date: 2021-08-31
URL: CVE-2021-37713
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5955-9wpr-37jh
Release Date: 2021-08-31
Fix Resolution: tar - 4.4.18,5.0.10,6.1.9
CVE-2021-32804tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1
CVE-2021-32803tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Publish Date: 2021-08-03
URL: CVE-2021-32803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r628-mhmh-qjhw
Release Date: 2021-08-03
Fix Resolution: tar - 3.2.3, 4.4.15, 5.0.7, 6.1.2
CVE-2019-20149Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/base/node_modules/kind-of/package.json,/node_modules/micromatch/node_modules/kind-of/package.json,/node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json,/node_modules/nanomatch/node_modules/kind-of/package.json,/node_modules/define-property/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in base branch: master
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution: 6.0.3
CVE-2020-28469Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
WS-2018-0148
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/utile/package.json
Dependency Hierarchy:
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prompt/node_modules/utile/package.json,/node_modules/broadway/node_modules/utile/package.json
Dependency Hierarchy:
Found in base branch: master
The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).
Publish Date: 2018-07-16
URL: WS-2018-0148
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0148
Release Date: 2018-01-16
Fix Resolution: JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03
CVE-2022-3517a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2022-21803
Hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging.
Library home page: https://registry.npmjs.org/nconf/-/nconf-0.6.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/broadway/node_modules/nconf/package.json
Dependency Hierarchy:
Hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging.
Library home page: https://registry.npmjs.org/nconf/-/nconf-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nconf/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
Publish Date: 2022-04-12
URL: CVE-2022-21803
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21803
Release Date: 2022-04-12
Fix Resolution: nconf - 0.11.4
CVE-2022-38900A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
Found in base branch: master
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution: decode-uri-component - 0.2.1
CVE-2021-3820custom inflections for nodejs
Library home page: https://registry.npmjs.org/i/-/i-0.3.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/i/package.json
Dependency Hierarchy:
Found in base branch: master
inflect is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-27
URL: CVE-2021-3820
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3820
Release Date: 2021-09-27
Fix Resolution: i - 0.3.7
CVE-2020-7598
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Vulnerable Library - swig-1.4.2.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (swig version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2015-8858 | High |
7.5 | uglify-js-2.4.24.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2015-8858JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in base branch: master
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution: v2.6.0
Vulnerable Library - helmet-2.3.0.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/ms/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (helmet version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2017-20165 | High |
7.5 | debug-2.2.0.tgz | Transitive | N/A* | ❌ |
| WS-2019-0289 | Medium |
6.1 | helmet-csp-1.2.2.tgz | Transitive | N/A* | ❌ |
| CVE-2017-20162 | Medium |
5.3 | ms-0.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2017-16137 | Medium |
5.3 | debug-2.2.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2017-20165small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: 2023-01-09
URL: CVE-2017-20165
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vvw-cc9w-f27h
Release Date: 2023-01-09
Fix Resolution: debug - 2.6.9,3.1.0
WS-2019-0289Content Security Policy middleware.
Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/helmet-csp/package.json
Dependency Hierarchy:
Found in base branch: master
Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.
Publish Date: 2019-11-18
URL: WS-2019-0289
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1176
Release Date: 2019-11-18
Fix Resolution: 2.9.1
CVE-2017-20162Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/ms/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Publish Date: 2023-01-05
URL: CVE-2017-20162
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-05
Fix Resolution: ms - 2.0.0
CVE-2017-16137small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: master
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution: 2.6.9
Vulnerable Library - helmet-2.3.0.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/ms/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (helmet version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2017-20165 | High |
7.5 | debug-2.2.0.tgz | Transitive | 3.8.2 | ✅ |
| WS-2019-0289 |  Medium |
6.1 | helmet-csp-1.2.2.tgz | Transitive | 3.21.0 | ✅ |
| CVE-2017-20162 | Medium |
5.3 | ms-0.7.1.tgz | Transitive | 3.6.1 | ✅ |
| CVE-2017-16137 | Medium |
5.3 | debug-2.2.0.tgz | Transitive | 3.8.2 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2017-20165small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: 2023-01-09
URL: CVE-2017-20165
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vvw-cc9w-f27h
Release Date: 2023-01-09
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (helmet): 3.8.2
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0289Content Security Policy middleware.
Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/helmet-csp/package.json
Dependency Hierarchy:
Found in base branch: master
Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.
Publish Date: 2019-11-18
URL: WS-2019-0289
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1176
Release Date: 2019-11-18
Fix Resolution (helmet-csp): 2.9.1
Direct dependency fix Resolution (helmet): 3.21.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-20162Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/ms/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Publish Date: 2023-01-05
URL: CVE-2017-20162
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-05
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (helmet): 3.6.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-16137small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: master
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-04-26
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (helmet): 3.8.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - mongodb-2.2.36.tgzThe official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongodb/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (mongodb version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-7610 | High |
9.8 | bson-1.0.9.tgz | Transitive | N/A* | ❌ |
| WS-2019-0311 | Medium |
6.5 | mongodb-2.2.36.tgz | Direct | 3.1.13 | ✅ |
| CVE-2019-2391 | Medium |
5.4 | bson-1.0.9.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2020-7610A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bson/package.json
Dependency Hierarchy:
Found in base branch: master
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Publish Date: 2020-03-30
URL: CVE-2020-7610
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-01
Fix Resolution: bson - 1.1.4
WS-2019-0311The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongodb/package.json
Dependency Hierarchy:
Found in base branch: master
In 'node-mongodb-native', versions prior to v3.1.13 are vulnerable against DOS as a result of a potential crash when a collection name is invalid and the DB doesn't exist.
Publish Date: 2019-01-23
URL: WS-2019-0311
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1203
Release Date: 2019-01-23
Fix Resolution: 3.1.13
⛑️ Automatic Remediation is available for this issue
CVE-2019-2391A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bson/package.json
Dependency Hierarchy:
Found in base branch: master
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.
Publish Date: 2020-03-31
URL: CVE-2019-2391
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2391
Release Date: 2020-09-29
Fix Resolution: bson - 1.1.4
⛑️ Automatic Remediation is available for this issue.
Vulnerable Library - swig-1.4.2.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (swig version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2015-8858 | High |
7.5 | uglify-js-2.4.24.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2015-8858JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in base branch: master
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution: v2.6.0
Vulnerable Library - body-parser-1.18.3.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (body-parser version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24999 | High |
7.5 | qs-6.5.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-24999A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in base branch: master
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3
Vulnerable Library - body-parser-1.18.3.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (body-parser version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24999 | High |
7.5 | qs-6.5.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-24999A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in base branch: master
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3
Vulnerable Library - underscore-1.9.1.tgzJavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (underscore version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-23358 | High |
7.2 | underscore-1.9.1.tgz | Direct | 1.12.1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2021-23358JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
Dependency Hierarchy:
Found in base branch: master
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: 1.12.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - helmet-2.3.0.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/ms/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (helmet version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2017-20165 | High |
7.5 | debug-2.2.0.tgz | Transitive | N/A* | ❌ |
| WS-2019-0289 | Medium |
6.1 | helmet-csp-1.2.2.tgz | Transitive | N/A* | ❌ |
| CVE-2017-20162 | Medium |
5.3 | ms-0.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2017-16137 | Medium |
5.3 | debug-2.2.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2017-20165small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: 2023-01-09
URL: CVE-2017-20165
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vvw-cc9w-f27h
Release Date: 2023-01-09
Fix Resolution: debug - 2.6.9,3.1.0
WS-2019-0289Content Security Policy middleware.
Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/helmet-csp/package.json
Dependency Hierarchy:
Found in base branch: master
Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.
Publish Date: 2019-11-18
URL: WS-2019-0289
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1176
Release Date: 2019-11-18
Fix Resolution: 2.9.1
CVE-2017-20162Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/ms/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Publish Date: 2023-01-05
URL: CVE-2017-20162
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-05
Fix Resolution: ms - 2.0.0
CVE-2017-16137small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: master
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution: 2.6.9
Vulnerable Library - swig-1.4.2.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (swig version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2015-8858 | High |
7.5 | uglify-js-2.4.24.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2015-8858JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in base branch: master
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution: v2.6.0
Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (marked version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2017-16114 | High |
7.5 | marked-0.3.5.tgz | Direct | 0.3.9 | ✅ |
| CVE-2022-21681 | High |
7.5 | marked-0.3.5.tgz | Direct | 4.0.10 | ✅ |
| CVE-2022-21680 | High |
7.5 | marked-0.3.5.tgz | Direct | 4.0.10 | ✅ |
| WS-2018-0031 | High |
7.1 | marked-0.3.5.tgz | Direct | 0.3.6 | ✅ |
| WS-2019-0026 | Medium |
6.1 | marked-0.3.5.tgz | Direct | 0.3.9 | ✅ |
| WS-2019-0025 | Medium |
6.1 | marked-0.3.5.tgz | Direct | 0.3.9 | ✅ |
| CVE-2016-10531 | Medium |
6.1 | marked-0.3.5.tgz | Direct | 0.3.6 | ✅ |
| CVE-2017-1000427 | Medium |
6.1 | marked-0.3.5.tgz | Direct | 0.3.7 | ✅ |
| WS-2020-0163 | Medium |
5.9 | marked-0.3.5.tgz | Direct | 1.1.1 | ✅ |
| WS-2019-0027 | Medium |
5.3 | marked-0.3.5.tgz | Direct | 0.3.18 | ✅ |
| WS-2018-0628 | Medium |
5.3 | marked-0.3.5.tgz | Direct | 0.4.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2017-16114A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
Publish Date: 2018-06-07
URL: CVE-2017-16114
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/531/versions
Release Date: 2018-04-26
Fix Resolution: 0.3.9
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-21681A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: 4.0.10
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-21680A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: 4.0.10
⛑️ Automatic Remediation will be attempted for this issue.
WS-2018-0031A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
The affected versions (through 0.3.5) in marked package are vulnerable to Cross-Site Scripting (XSS) Due To Sanitization Bypass Using HTML Entities
Publish Date: 2018-03-23
URL: WS-2018-0031
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-03-23
Fix Resolution: 0.3.6
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0026A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Versions 0.3.7 and earlier of marked suuport unescaping of only lowercase, which may lead to XSS.
Publish Date: 2017-12-23
URL: WS-2019-0026
Base Score Metrics:
Type: Upgrade version
Release Date: 2017-12-23
Fix Resolution: 0.3.9
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0025A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.
Publish Date: 2017-12-23
URL: WS-2019-0025
Base Score Metrics:
Type: Upgrade version
Release Date: 2017-12-23
Fix Resolution: 0.3.9
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-10531A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.
Publish Date: 2018-05-31
URL: CVE-2016-10531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10531
Release Date: 2018-04-26
Fix Resolution: 0.3.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-1000427A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
Publish Date: 2018-01-02
URL: CVE-2017-1000427
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427
Release Date: 2018-01-02
Fix Resolution: 0.3.7
⛑️ Automatic Remediation will be attempted for this issue.
WS-2020-0163A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: 1.1.1
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0027A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
Publish Date: 2018-02-26
URL: WS-2019-0027
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-02-26
Fix Resolution: 0.3.18
⛑️ Automatic Remediation will be attempted for this issue.
WS-2018-0628A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.
Publish Date: 2018-04-16
URL: WS-2018-0628
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-04-16
Fix Resolution: 0.4.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - underscore-1.9.1.tgzJavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (underscore version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-23358 | High |
7.2 | underscore-1.9.1.tgz | Direct | 1.12.1 | ✅ |
CVE-2021-23358JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
Dependency Hierarchy:
Found in base branch: master
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: 1.12.1
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Vulnerable Library - forever-2.0.0.tgzPath to dependency file: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (forever version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2019-10747 |  Critical |
9.8 | detected in multiple dependencies | Transitive | 3.0.0 | ✅ |
| CVE-2019-10746 | Critical |
9.8 | mixin-deep-1.3.1.tgz | Transitive | 3.0.0 | ✅ |
| CVE-2021-44906 | Critical |
9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2020-7788 | Critical |
9.8 | ini-1.3.5.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2021-23440 | Critical |
9.8 | detected in multiple dependencies | Transitive | 3.0.0 | ✅ |
| CVE-2020-7774 | Critical |
9.8 | y18n-3.2.1.tgz | Transitive | 3.0.0 | ✅ |
| CVE-2021-37712 | High |
8.6 | tar-4.4.8.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2021-37701 | High |
8.6 | tar-4.4.8.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2021-37713 | High |
8.6 | tar-4.4.8.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2021-32804 | High |
8.1 | tar-4.4.8.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2021-32803 | High |
8.1 | tar-4.4.8.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2019-20149 | High |
7.5 | kind-of-6.0.2.tgz | Transitive | 3.0.0 | ✅ |
| CVE-2020-28469 | High |
7.5 | glob-parent-3.1.0.tgz | Transitive | N/A* | ❌ |
| WS-2018-0148 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-21803 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-38900 | High |
7.5 | decode-uri-component-0.2.0.tgz | Transitive | 3.0.0 | ✅ |
| CVE-2021-3820 | High |
7.5 | i-0.3.6.tgz | Transitive | 3.0.0 | ✅ |
| CVE-2020-7598 | Medium |
5.6 | detected in multiple dependencies | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2019-10747
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: master
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (forever): 3.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-10746Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in base branch: master
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-44906
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prettyjson/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution: minimist - 1.2.6
CVE-2020-7788An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Dependency Hierarchy:
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (forever): 3.0.0
CVE-2021-23440
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: master
Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
Base Score Metrics:
Type: Upgrade version
Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (forever): 3.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7774the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
Found in base branch: master
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-37712tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.
Publish Date: 2021-08-31
URL: CVE-2021-37712
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qq89-hq3f-393p
Release Date: 2021-08-31
Fix Resolution (tar): 4.4.18
Direct dependency fix Resolution (forever): 3.0.0
CVE-2021-37701tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
Publish Date: 2021-08-31
URL: CVE-2021-37701
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9r2w-394v-53qc
Release Date: 2021-08-31
Fix Resolution (tar): 4.4.16
Direct dependency fix Resolution (forever): 3.0.0
CVE-2021-37713tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Publish Date: 2021-08-31
URL: CVE-2021-37713
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5955-9wpr-37jh
Release Date: 2021-08-31
Fix Resolution (tar): 4.4.18
Direct dependency fix Resolution (forever): 3.0.0
CVE-2021-32804tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution (tar): 4.4.14
Direct dependency fix Resolution (forever): 3.0.0
CVE-2021-32803tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz
Dependency Hierarchy:
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Publish Date: 2021-08-03
URL: CVE-2021-32803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r628-mhmh-qjhw
Release Date: 2021-08-03
Fix Resolution (tar): 4.4.15
Direct dependency fix Resolution (forever): 3.0.0
CVE-2019-20149Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/base/node_modules/kind-of/package.json,/node_modules/micromatch/node_modules/kind-of/package.json,/node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json,/node_modules/nanomatch/node_modules/kind-of/package.json,/node_modules/define-property/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in base branch: master
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28469Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
WS-2018-0148
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/utile/package.json
Dependency Hierarchy:
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prompt/node_modules/utile/package.json,/node_modules/broadway/node_modules/utile/package.json
Dependency Hierarchy:
Found in base branch: master
The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).
Publish Date: 2018-07-16
URL: WS-2018-0148
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0148
Release Date: 2018-01-16
Fix Resolution: JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03
CVE-2022-3517a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2022-21803
Hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging.
Library home page: https://registry.npmjs.org/nconf/-/nconf-0.6.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/broadway/node_modules/nconf/package.json
Dependency Hierarchy:
Hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging.
Library home page: https://registry.npmjs.org/nconf/-/nconf-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nconf/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
Publish Date: 2022-04-12
URL: CVE-2022-21803
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21803
Release Date: 2022-04-12
Fix Resolution: nconf - 0.11.4
CVE-2022-38900A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
Found in base branch: master
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-3820custom inflections for nodejs
Library home page: https://registry.npmjs.org/i/-/i-0.3.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/i/package.json
Dependency Hierarchy:
Found in base branch: master
inflect is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-27
URL: CVE-2021-3820
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3820
Release Date: 2021-09-27
Fix Resolution (i): 0.3.7
Direct dependency fix Resolution (forever): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7598
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
⛑️Automatic Remediation will be attempted for this issue.
⛔ Details - Ensure that HEALTHCHECK instructions have been added to container images
Vulnerable Library - underscore-1.9.1.tgzJavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (underscore version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-23358 | High |
7.2 | underscore-1.9.1.tgz | Direct | 1.12.1 | ✅ |
CVE-2021-23358JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
Dependency Hierarchy:
Found in base branch: master
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: 1.12.1
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Vulnerable Library - mongodb-2.2.36.tgzThe official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongodb/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (mongodb version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2020-7610 | Critical |
9.8 | bson-1.0.9.tgz | Transitive | 3.1.3 | ✅ |
| WS-2019-0311 | Medium |
6.5 | mongodb-2.2.36.tgz | Direct | 3.1.13 | ✅ |
| CVE-2019-2391 | Medium |
5.4 | bson-1.0.9.tgz | Transitive | 3.1.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2020-7610A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bson/package.json
Dependency Hierarchy:
Found in base branch: master
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Publish Date: 2020-03-30
URL: CVE-2020-7610
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-01
Fix Resolution (bson): 1.1.4
Direct dependency fix Resolution (mongodb): 3.1.3
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0311The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.36.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongodb/package.json
Dependency Hierarchy:
Found in base branch: master
In 'node-mongodb-native', versions prior to v3.1.13 are vulnerable against DOS as a result of a potential crash when a collection name is invalid and the DB doesn't exist.
Publish Date: 2019-01-23
URL: WS-2019-0311
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1203
Release Date: 2019-01-23
Fix Resolution: 3.1.13
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-2391A bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bson/package.json
Dependency Hierarchy:
Found in base branch: master
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.
Publish Date: 2020-03-31
URL: CVE-2019-2391
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2391
Release Date: 2020-03-31
Fix Resolution (bson): 1.1.4
Direct dependency fix Resolution (mongodb): 3.1.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
