View Code? Open in Web Editor
NEW
This project forked from orbiting /crowdfunding-frontend
A battle proven crowdfunding front end with Stripe, PayPal and PostFinance integration. And lots of features around it.
License: Other
JavaScript 99.93%
Dockerfile 0.07%
crowdfunding-frontend's People
Watchers
crowdfunding-frontend's Issues
WS-2020-0344 - Critical Severity Vulnerability
Vulnerable Library - is-my-json-valid-2.16.1.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
standard-9.0.2.tgz (Root Library)
eslint-3.18.0.tgz
❌ is-my-json-valid-2.16.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (standard): 10.0.0
Step up your Open Source Security Game with Mend here
WS-2020-0163 - Medium Severity Vulnerability
Vulnerable Library - marked-0.3.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
❌ marked-0.3.9.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: 1.1.1
Step up your Open Source Security Game with Mend here
CVE-2021-37699 - Medium Severity Vulnerability
Vulnerable Library - next-4.2.3.tgz
Minimalistic framework for server-rendered React applications
Library home page: https://registry.npmjs.org/next/-/next-4.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Dependency Hierarchy:
❌ next-4.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.
Publish Date: 2021-08-12
URL: CVE-2021-37699
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-vxf5-wxwp-m7g9
Release Date: 2021-08-12
Fix Resolution: 11.0.1-canary.0
Step up your Open Source Security Game with Mend here
CVE-2018-3739 - Critical Severity Vulnerability
Vulnerable Libraries - https-proxy-agent-2.1.1.tgz , https-proxy-agent-1.0.0.tgz
https-proxy-agent-2.1.1.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/github/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
github-12.1.0.tgz
❌ https-proxy-agent-2.1.1.tgz (Vulnerable Library)
https-proxy-agent-1.0.0.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
sauce-connect-launcher-1.2.2.tgz
❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
Publish Date: 2018-06-07
URL: CVE-2018-3739
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739
Release Date: 2018-04-26
Fix Resolution (https-proxy-agent): 2.2.0
Direct dependency fix Resolution (next): 4.3.0-canary.1
Fix Resolution (https-proxy-agent): 2.2.0
Direct dependency fix Resolution (wdio-sauce-service): 0.4.2
Step up your Open Source Security Game with Mend here
CVE-2020-7774 - Critical Severity Vulnerability
Vulnerable Library - y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
webpack-3.6.0.tgz
yargs-8.0.2.tgz
❌ y18n-3.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2021-3918 - Critical Severity Vulnerability
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
request-2.81.0.tgz
http-signature-1.1.1.tgz
jsprim-1.4.1.tgz
❌ json-schema-0.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (wdio-sauce-service): 0.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-21680 - High Severity Vulnerability
Vulnerable Library - marked-0.3.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
❌ marked-0.3.9.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def
may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: 4.0.10
Step up your Open Source Security Game with Mend here
CVE-2018-1000620 - Critical Severity Vulnerability
Vulnerable Library - cryptiles-2.0.5.tgz
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cryptiles/package.json,/package.json
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
request-2.81.0.tgz
hawk-3.1.3.tgz
❌ cryptiles-2.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (wdio-sauce-service): 0.4.2
Step up your Open Source Security Game with Mend here
CVE-2021-23383 - Critical Severity Vulnerability
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
release-notes-generator-4.0.5.tgz
conventional-changelog-core-1.9.5.tgz
conventional-changelog-writer-2.0.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2022-0235 - Medium Severity Vulnerability
Vulnerable Library - node-fetch-1.7.2.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
isomorphic-unfetch-1.0.0.tgz (Root Library)
❌ node-fetch-1.7.2.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (isomorphic-unfetch): 2.1.0
Step up your Open Source Security Game with Mend here
CVE-2019-20922 - High Severity Vulnerability
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
release-notes-generator-4.0.5.tgz
conventional-changelog-core-1.9.5.tgz
conventional-changelog-writer-2.0.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
WS-2019-0059 - Low Severity Vulnerability
Vulnerable Library - express-basic-auth-1.1.2.tgz
Plug & play basic auth middleware for express
Library home page: https://registry.npmjs.org/express-basic-auth/-/express-basic-auth-1.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-basic-auth/package.json
Dependency Hierarchy:
❌ express-basic-auth-1.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
All versions of express-basic-auth are vulnerable to Timing Attacks. The package uses nating string comparison instead of a constant time string compare which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the exponential increase in entropy gained from longer secrets.
Publish Date: 2019-04-23
URL: WS-2019-0059
CVSS 3 Score Details (3.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Adjacent
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-04-23
Fix Resolution: 1.2.0
Step up your Open Source Security Game with Mend here
CVE-2019-10795 - Medium Severity Vulnerability
Vulnerable Library - undefsafe-0.0.3.tgz
Undefined safe way of extracting object properties
Library home page: https://registry.npmjs.org/undefsafe/-/undefsafe-0.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undefsafe/package.json
Dependency Hierarchy:
nodemon-1.11.0.tgz (Root Library)
❌ undefsafe-0.0.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a proto payload.
Publish Date: 2020-02-18
URL: CVE-2019-10795
CVSS 3 Score Details (6.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10795
Release Date: 2020-02-27
Fix Resolution (undefsafe): 2.0.3
Direct dependency fix Resolution (nodemon): 1.14.11
Step up your Open Source Security Game with Mend here
CVE-2018-21270 - Medium Severity Vulnerability
Vulnerable Library - stringstream-0.0.5.tgz
Encode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/stringstream/package.json
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
request-2.81.0.tgz
❌ stringstream-0.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution (stringstream): 0.0.6
Direct dependency fix Resolution (wdio-sauce-service): 0.4.0
Step up your Open Source Security Game with Mend here
CVE-2019-19919 - Critical Severity Vulnerability
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
release-notes-generator-4.0.5.tgz
conventional-changelog-core-1.9.5.tgz
conventional-changelog-writer-2.0.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-w457-6q6x-cgp9
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2020-5284 - Medium Severity Vulnerability
Vulnerable Library - next-4.2.3.tgz
Minimalistic framework for server-rendered React applications
Library home page: https://registry.npmjs.org/next/-/next-4.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Dependency Hierarchy:
❌ next-4.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
Publish Date: 2020-03-30
URL: CVE-2020-5284
CVSS 3 Score Details (4.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-01
Fix Resolution: 9.3.1-canary.0
Step up your Open Source Security Game with Mend here
CVE-2021-23424 - High Severity Vulnerability
Vulnerable Library - ansi-html-0.0.7.tgz
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
❌ ansi-html-0.0.7.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (next): 8.1.1-canary.17
Step up your Open Source Security Game with Mend here
CVE-2017-16137 - Low Severity Vulnerability
Vulnerable Libraries - debug-2.6.7.tgz , debug-2.6.8.tgz
debug-2.6.7.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/debug/package.json
Dependency Hierarchy:
body-parser-1.17.2.tgz (Root Library)
❌ debug-2.6.7.tgz (Vulnerable Library)
debug-2.6.8.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz
Dependency Hierarchy:
express-4.15.4.tgz (Root Library)
❌ debug-2.6.8.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-gxpj-cx7g-858c
Release Date: 2018-04-26
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (body-parser): 1.18.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (express): 4.15.5
Step up your Open Source Security Game with Mend here
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Library - dot-prop-3.0.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dot-prop/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
commit-analyzer-3.0.7.tgz
conventional-changelog-angular-1.6.0.tgz
compare-func-1.3.2.tgz
❌ dot-prop-3.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (next): 4.3.0-zones.1
Step up your Open Source Security Game with Mend here
CVE-2022-21681 - High Severity Vulnerability
Vulnerable Library - marked-0.3.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
❌ marked-0.3.9.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch
may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: 4.0.10
Step up your Open Source Security Game with Mend here
WS-2018-0628 - Medium Severity Vulnerability
Vulnerable Library - marked-0.3.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
❌ marked-0.3.9.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.
Publish Date: 2018-04-16
URL: WS-2018-0628
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2018-04-16
Fix Resolution: 0.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-23369 - Critical Severity Vulnerability
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
release-notes-generator-4.0.5.tgz
conventional-changelog-core-1.9.5.tgz
conventional-changelog-writer-2.0.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2018-3750 - High Severity Vulnerability
Vulnerable Library - deep-extend-0.4.2.tgz
Recursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Dependency Hierarchy:
nodemon-1.11.0.tgz (Root Library)
update-notifier-0.5.0.tgz
latest-version-1.0.1.tgz
package-json-1.2.0.tgz
registry-url-3.1.0.tgz
rc-1.2.1.tgz
❌ deep-extend-0.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
Release Date: 2018-07-03
Fix Resolution (deep-extend): 0.5.1
Direct dependency fix Resolution (nodemon): 1.11.1
Step up your Open Source Security Game with Mend here
WS-2018-0114 - High Severity Vulnerability
Vulnerable Library - npmconf-2.1.2.tgz
The config thing npm uses
Library home page: https://registry.npmjs.org/npmconf/-/npmconf-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npmconf/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
❌ npmconf-2.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Versions of npmconf before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x.
Publish Date: 2018-05-16
URL: WS-2018-0114
CVSS 3 Score Details (7.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/653
Release Date: 2018-01-27
Fix Resolution (npmconf): 2.1.3
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2022-0155 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.2.6.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
github-12.1.0.tgz
❌ follow-redirects-1.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (next): 4.3.0-zones.1
Step up your Open Source Security Game with Mend here
CVE-2020-7788 - Critical Severity Vulnerability
Vulnerable Library - ini-1.3.4.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ini/package.json,/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
npmconf-2.1.2.tgz
❌ ini-1.3.4.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2022-0144 - High Severity Vulnerability
Vulnerable Library - shelljs-0.7.8.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shelljs/package.json
Dependency Hierarchy:
standard-9.0.2.tgz (Root Library)
eslint-3.18.0.tgz
❌ shelljs-0.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
CVSS 3 Score Details (7.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-11
Fix Resolution (shelljs): 0.8.5
Direct dependency fix Resolution (standard): 11.0.0
Step up your Open Source Security Game with Mend here
WS-2019-0058 - Medium Severity Vulnerability
Vulnerable Library - webpack-bundle-analyzer-2.9.0.tgz
Webpack plugin and CLI utility that represents bundle content as convenient interactive zoomable treemap
Library home page: https://registry.npmjs.org/webpack-bundle-analyzer/-/webpack-bundle-analyzer-2.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-bundle-analyzer/package.json
Dependency Hierarchy:
❌ webpack-bundle-analyzer-2.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.
Publish Date: 2019-04-11
URL: WS-2019-0058
CVSS 3 Score Details (6.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-04-11
Fix Resolution: 3.3.2
Step up your Open Source Security Game with Mend here
CVE-2020-26226 - High Severity Vulnerability
Vulnerable Library - semantic-release-8.2.3.tgz
Automated semver compliant package publishing
Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-8.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semantic-release/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
❌ semantic-release-8.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release
can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
Publish Date: 2020-11-18
URL: CVE-2020-26226
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-r2j6-p67h-q639
Release Date: 2020-11-18
Fix Resolution (semantic-release): 17.2.3
Direct dependency fix Resolution (next): 4.3.0-zones.1
Step up your Open Source Security Game with Mend here
CVE-2017-16138 - High Severity Vulnerability
Vulnerable Library - mime-1.3.4.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy:
express-4.15.4.tgz (Root Library)
send-0.15.4.tgz
❌ mime-1.3.4.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (express): 4.16.0
Step up your Open Source Security Game with Mend here
CVE-2019-10744 - Critical Severity Vulnerability
Vulnerable Libraries - lodash.template-4.4.0.tgz , lodash-4.17.4.tgz , lodash-es-4.17.4.tgz
lodash.template-4.4.0.tgz
The lodash method `_.template` exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash.template/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
release-notes-generator-4.0.5.tgz
conventional-changelog-core-1.9.5.tgz
git-raw-commits-1.3.0.tgz
❌ lodash.template-4.4.0.tgz (Vulnerable Library)
lodash-4.17.4.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
redux-3.7.2.tgz (Root Library)
❌ lodash-4.17.4.tgz (Vulnerable Library)
lodash-es-4.17.4.tgz
Lodash exported as ES modules.
Library home page: https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash-es/package.json
Dependency Hierarchy:
redux-3.7.2.tgz (Root Library)
❌ lodash-es-4.17.4.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (next): 4.3.0-canary.1
Fix Resolution (lodash): 4.5.0
Direct dependency fix Resolution (redux): 4.0.0
Fix Resolution (lodash-es): 4.5.0
Direct dependency fix Resolution (redux): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.5.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
babel-plugin-module-resolver-2.7.1.tgz
resolve-1.4.0.tgz
❌ path-parse-1.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2020-7733 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.14.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
glamor-2.20.40.tgz (Root Library)
fbjs-0.8.14.tgz
❌ ua-parser-js-0.7.14.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (glamor): 3.0.0-1
Step up your Open Source Security Game with Mend here
CVE-2021-23425 - Medium Severity Vulnerability
Vulnerable Library - trim-off-newlines-1.0.1.tgz
Similar to String#trim() but removes only newlines
Library home page: https://registry.npmjs.org/trim-off-newlines/-/trim-off-newlines-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-off-newlines/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
commit-analyzer-3.0.7.tgz
conventional-commits-parser-2.1.0.tgz
❌ trim-off-newlines-1.0.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing.
Publish Date: 2021-08-18
URL: CVE-2021-23425
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23425
Release Date: 2021-08-18
Fix Resolution (trim-off-newlines): 1.0.2
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - adm-zip-0.4.7.tgz
A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/adm-zip/package.json
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
sauce-connect-launcher-1.2.2.tgz
❌ adm-zip-0.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Mend Note: Converted from WS-2019-0231, on 2021-08-17.
Publish Date: 2018-07-25
URL: CVE-2018-1002204
CVSS 3 Score Details (5.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204
Release Date: 2018-07-25
Fix Resolution (adm-zip): 0.4.9
Direct dependency fix Resolution (wdio-sauce-service): 0.4.0
Step up your Open Source Security Game with Mend here
CVE-2019-20920 - High Severity Vulnerability
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
release-notes-generator-4.0.5.tgz
conventional-changelog-core-1.9.5.tgz
conventional-changelog-writer-2.0.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2021-23807 - Critical Severity Vulnerability
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonpointer/package.json
Dependency Hierarchy:
standard-9.0.2.tgz (Root Library)
eslint-3.18.0.tgz
is-my-json-valid-2.16.1.tgz
❌ jsonpointer-4.0.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (standard): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-3745 - Critical Severity Vulnerability
Vulnerable Library - atob-1.1.3.tgz
atob for Node.JS and Linux / Mac / Windows CLI (it's a one-liner)
Library home page: https://registry.npmjs.org/atob/-/atob-1.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/atob/package.json
Dependency Hierarchy:
webdriverio-4.8.0.tgz (Root Library)
css-parse-2.0.0.tgz
css-2.2.1.tgz
source-map-resolve-0.3.1.tgz
❌ atob-1.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
Publish Date: 2018-05-29
URL: CVE-2018-3745
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/321686
Release Date: 2018-05-29
Fix Resolution (atob): 2.1.0
Direct dependency fix Resolution (webdriverio): 4.9.0
Step up your Open Source Security Game with Mend here
CVE-2021-43803 - High Severity Vulnerability
Vulnerable Library - next-4.2.3.tgz
Minimalistic framework for server-rendered React applications
Library home page: https://registry.npmjs.org/next/-/next-4.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Dependency Hierarchy:
❌ next-4.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
Publish Date: 2021-12-10
URL: CVE-2021-43803
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-25mp-g6fv-mqxx
Release Date: 2021-12-10
Fix Resolution: 11.1.2-canary.0
Step up your Open Source Security Game with Mend here
CVE-2021-27292 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.14.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
glamor-2.20.40.tgz (Root Library)
fbjs-0.8.14.tgz
❌ ua-parser-js-0.7.14.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (glamor): 3.0.0-1
Step up your Open Source Security Game with Mend here
WS-2018-0076 - Medium Severity Vulnerability
Vulnerable Library - tunnel-agent-0.4.3.tgz
HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/codeclimate-test-reporter/node_modules/tunnel-agent/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
codeclimate-test-reporter-0.5.0.tgz
request-2.79.0.tgz
❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution (tunnel-agent): 0.6.0
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2020-28498 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
webpack-3.6.0.tgz
node-libs-browser-2.1.0.tgz
crypto-browserify-3.12.0.tgz
create-ecdh-4.0.0.tgz
❌ elliptic-6.4.0.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
WS-2020-0345 - High Severity Vulnerability
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonpointer/package.json
Dependency Hierarchy:
standard-9.0.2.tgz (Root Library)
eslint-3.18.0.tgz
is-my-json-valid-2.16.1.tgz
❌ jsonpointer-4.0.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (standard): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2017-15010 - High Severity Vulnerability
Vulnerable Library - tough-cookie-2.3.2.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
request-2.81.0.tgz
❌ tough-cookie-2.3.2.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010
Release Date: 2017-10-03
Fix Resolution (tough-cookie): 2.3.3
Direct dependency fix Resolution (wdio-sauce-service): 0.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-13822 - High Severity Vulnerability
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
webpack-3.6.0.tgz
node-libs-browser-2.1.0.tgz
crypto-browserify-3.12.0.tgz
create-ecdh-4.0.0.tgz
❌ elliptic-6.4.0.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
WS-2020-0342 - High Severity Vulnerability
Vulnerable Library - is-my-json-valid-2.16.1.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
standard-9.0.2.tgz (Root Library)
eslint-3.18.0.tgz
❌ is-my-json-valid-2.16.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (standard): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-32804 - High Severity Vulnerability
Vulnerable Library - tar-2.2.1.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
nodemon-1.11.0.tgz (Root Library)
chokidar-1.7.0.tgz
fsevents-1.1.2.tgz
node-pre-gyp-0.6.36.tgz
❌ tar-2.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths
flag is not set to true
. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc
would turn into home/user/.bashrc
. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc
. node-tar
would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc
) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry
method which sanitizes the entry.path
or a filter
method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution (tar): 3.2.2
Direct dependency fix Resolution (nodemon): 1.11.1
Step up your Open Source Security Game with Mend here
CVE-2018-3737 - High Severity Vulnerability
Vulnerable Libraries - sshpk-1.13.0.tgz , sshpk-1.13.1.tgz
sshpk-1.13.0.tgz
A library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
nodemon-1.11.0.tgz (Root Library)
chokidar-1.7.0.tgz
fsevents-1.1.2.tgz
node-pre-gyp-0.6.36.tgz
request-2.81.0.tgz
http-signature-1.1.1.tgz
❌ sshpk-1.13.0.tgz (Vulnerable Library)
sshpk-1.13.1.tgz
A library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sshpk/package.json
Dependency Hierarchy:
wdio-sauce-service-0.3.1.tgz (Root Library)
request-2.81.0.tgz
http-signature-1.1.1.tgz
❌ sshpk-1.13.1.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
Publish Date: 2018-06-07
URL: CVE-2018-3737
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/319593
Release Date: 2018-04-26
Fix Resolution (sshpk): 1.13.2
Direct dependency fix Resolution (nodemon): 1.11.1
Fix Resolution (sshpk): 1.13.2
Direct dependency fix Resolution (wdio-sauce-service): 0.4.0
Step up your Open Source Security Game with Mend here
CVE-2018-7651 - Medium Severity Vulnerability
Vulnerable Library - ssri-4.1.6.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-4.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json
Dependency Hierarchy:
next-4.2.3.tgz (Root Library)
glob-promise-3.2.0.tgz
semantic-release-8.2.3.tgz
last-release-npm-2.0.2.tgz
npm-registry-client-8.5.0.tgz
❌ ssri-4.1.6.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string.
Publish Date: 2018-03-04
URL: CVE-2018-7651
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7651
Release Date: 2022-10-03
Fix Resolution (ssri): 5.2.2
Direct dependency fix Resolution (next): 4.3.0-canary.1
Step up your Open Source Security Game with Mend here
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.4.tgz , lodash-es-4.17.4.tgz
lodash-4.17.4.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
redux-3.7.2.tgz (Root Library)
❌ lodash-4.17.4.tgz (Vulnerable Library)
lodash-es-4.17.4.tgz
Lodash exported as ES modules.
Library home page: https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash-es/package.json
Dependency Hierarchy:
redux-3.7.2.tgz (Root Library)
❌ lodash-es-4.17.4.tgz (Vulnerable Library)
Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (redux): 4.0.0
Fix Resolution (lodash-es): 4.17.21
Direct dependency fix Resolution (redux): 4.0.0
Step up your Open Source Security Game with Mend here