artisan-static's People
artisan-static's Issues
CVE-2021-3805 (High) detected in object-path-0.9.2.tgz
CVE-2021-3805 - High Severity Vulnerability
Vulnerable Library - object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- eazy-logger-3.0.2.tgz
- tfunk-3.1.0.tgz
- ❌ object-path-0.9.2.tgz (Vulnerable Library)
- tfunk-3.1.0.tgz
- eazy-logger-3.0.2.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601 (High) detected in loader-utils-1.4.0.tgz
CVE-2022-37601 - High Severity Vulnerability
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- sass-loader-7.3.1.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (sass-loader): 8.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- selfsigned-1.10.8.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.8.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (laravel-mix): 6.0.40
Step up your Open Source Security Game with Mend here
CVE-2020-36048 (High) detected in engine.io-3.2.1.tgz
CVE-2020-36048 - High Severity Vulnerability
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- socket.io-2.1.1.tgz
- ❌ engine.io-3.2.1.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-3749 (High) detected in axios-0.19.0.tgz
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- localtunnel-2.0.0.tgz
- ❌ axios-0.19.0.tgz (Vulnerable Library)
- localtunnel-2.0.0.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-25858 (High) detected in terser-3.17.0.tgz, terser-4.8.0.tgz
CVE-2022-25858 - High Severity Vulnerability
Vulnerable Libraries - terser-3.17.0.tgz, terser-4.8.0.tgz
terser-3.17.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-3.17.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- ❌ terser-3.17.0.tgz (Vulnerable Library)
terser-4.8.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser-webpack-plugin/node_modules/terser/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
- ❌ terser-4.8.0.tgz (Vulnerable Library)
- terser-webpack-plugin-1.4.5.tgz
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (laravel-mix): 5.0.8
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (laravel-mix): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-15256 (Critical) detected in object-path-0.9.2.tgz
CVE-2020-15256 - Critical Severity Vulnerability
Vulnerable Library - object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- eazy-logger-3.0.2.tgz
- tfunk-3.1.0.tgz
- ❌ object-path-0.9.2.tgz (Vulnerable Library)
- tfunk-3.1.0.tgz
- eazy-logger-3.0.2.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-3664 (Medium) detected in url-parse-1.4.7.tgz
CVE-2021-3664 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24772 (High) detected in node-forge-0.10.0.tgz
CVE-2022-24772 - High Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- selfsigned-1.10.8.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.8.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (laravel-mix): 6.0.40
Step up your Open Source Security Game with Mend here
CVE-2022-0512 (Medium) detected in url-parse-1.4.7.tgz
CVE-2022-0512 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2017-1000048 (High) detected in qs-6.2.3.tgz - autoclosed
CVE-2017-1000048 - High Severity Vulnerability
Vulnerable Library - qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: artisan-static/package.json
Path to vulnerable library: artisan-static/node_modules/browser-sync/node_modules/qs/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- ❌ qs-6.2.3.tgz (Vulnerable Library)
- browser-sync-2.26.12.tgz
Found in HEAD commit: 349a4a8c52dcbce2842442a029283e58a1ffd6a0
Found in base branch: master
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000048
Release Date: 2017-07-17
Fix Resolution: 6.0.4,6.1.2,6.2.3,6.3.2
Step up your Open Source Security Game with WhiteSource here
CVE-2022-41940 (Medium) detected in engine.io-3.2.1.tgz
CVE-2022-41940 - Medium Severity Vulnerability
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- socket.io-2.1.1.tgz
- ❌ engine.io-3.2.1.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Publish Date: 2022-11-22
URL: CVE-2022-41940
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-r7qp-cfhv-p84w
Release Date: 2022-11-22
Fix Resolution (engine.io): 3.6.1
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-1650 (Critical) detected in eventsource-1.0.7.tgz
CVE-2022-1650 - Critical Severity Vulnerability
Vulnerable Library - eventsource-1.0.7.tgz
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ eventsource-1.0.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23440 (High) detected in set-value-2.0.1.tgz
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Library - set-value-2.0.1.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- chokidar-2.1.8.tgz
- braces-2.3.2.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- cache-base-1.0.1.tgz
- ❌ set-value-2.0.1.tgz (Vulnerable Library)
- cache-base-1.0.1.tgz
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- braces-2.3.2.tgz
- chokidar-2.1.8.tgz
Found in base branch: master
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-12
Fix Resolution (set-value): 4.0.1
Direct dependency fix Resolution (laravel-mix): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-46175 (High) detected in json5-2.1.3.tgz, json5-1.0.1.tgz
CVE-2022-46175 - High Severity Vulnerability
Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz
json5-2.1.3.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- core-7.11.6.tgz
- ❌ json5-2.1.3.tgz (Vulnerable Library)
- core-7.11.6.tgz
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/node_modules/json5/package.json
Dependency Hierarchy:
- sass-loader-7.3.1.tgz (Root Library)
- loader-utils-1.4.0.tgz
- ❌ json5-1.0.1.tgz (Vulnerable Library)
- loader-utils-1.4.0.tgz
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (laravel-mix): 5.0.0
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (sass-loader): 8.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608 (Medium) detected in yargs-parser-11.1.1.tgz
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- yargs-12.0.5.tgz
- ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
- yargs-12.0.5.tgz
Found in HEAD commit: 349a4a8c52dcbce2842442a029283e58a1ffd6a0
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28481 (Medium) detected in socket.io-2.1.1.tgz
CVE-2020-28481 - Medium Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-24773 (Medium) detected in node-forge-0.10.0.tgz
CVE-2022-24773 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- selfsigned-1.10.8.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.8.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (laravel-mix): 6.0.40
Step up your Open Source Security Game with Mend here
CVE-2022-0686 (High) detected in url-parse-1.4.7.tgz
CVE-2022-0686 - High Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-33502 (High) detected in normalize-url-3.3.0.tgz
CVE-2021-33502 - High Severity Vulnerability
Vulnerable Library - normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- optimize-css-assets-webpack-plugin-5.0.4.tgz
- cssnano-4.1.10.tgz
- cssnano-preset-default-4.0.7.tgz
- postcss-normalize-url-4.0.1.tgz
- ❌ normalize-url-3.3.0.tgz (Vulnerable Library)
- postcss-normalize-url-4.0.1.tgz
- cssnano-preset-default-4.0.7.tgz
- cssnano-4.1.10.tgz
- optimize-css-assets-webpack-plugin-5.0.4.tgz
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-27292 (High) detected in ua-parser-js-0.7.22.tgz
CVE-2021-27292 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.22.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- ❌ ua-parser-js-0.7.22.tgz (Vulnerable Library)
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-7793 (High) detected in ua-parser-js-0.7.22.tgz
CVE-2020-7793 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.22.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- ❌ ua-parser-js-0.7.22.tgz (Vulnerable Library)
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-35065 (High) detected in glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz - autoclosed
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- chokidar-2.1.8.tgz
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browser-sync/node_modules/glob-parent/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-4.44.2.tgz
- watchpack-1.7.4.tgz
- chokidar-3.4.2.tgz
- ❌ glob-parent-5.1.1.tgz (Vulnerable Library)
- chokidar-3.4.2.tgz
- watchpack-1.7.4.tgz
- webpack-4.44.2.tgz
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
CVE-2020-28502 (High) detected in xmlhttprequest-ssl-1.5.5.tgz
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- browser-sync-ui-2.26.12.tgz
- socket.io-client-2.3.0.tgz
- engine.io-client-3.4.3.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.4.3.tgz
- socket.io-client-2.3.0.tgz
- browser-sync-ui-2.26.12.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-7789 (Medium) detected in node-notifier-5.4.3.tgz
CVE-2020-7789 - Medium Severity Vulnerability
Vulnerable Library - node-notifier-5.4.3.tgz
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-notifier/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-notifier-1.8.0.tgz
- ❌ node-notifier-5.4.3.tgz (Vulnerable Library)
- webpack-notifier-1.8.0.tgz
Found in base branch: master
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789
Release Date: 2020-12-11
Fix Resolution (node-notifier): 5.4.4
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-37620 (High) detected in html-minifier-3.5.21.tgz
CVE-2022-37620 - High Severity Vulnerability
Vulnerable Library - html-minifier-3.5.21.tgz
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/html-minifier/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- html-loader-0.5.5.tgz
- ❌ html-minifier-3.5.21.tgz (Vulnerable Library)
- html-loader-0.5.5.tgz
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-0639 (Medium) detected in url-parse-1.4.7.tgz
CVE-2022-0639 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz
WS-2022-0008 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- selfsigned-1.10.8.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.8.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (laravel-mix): 6.0.40
Step up your Open Source Security Game with Mend here
CVE-2021-31597 (High) detected in xmlhttprequest-ssl-1.5.5.tgz
CVE-2021-31597 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- browser-sync-ui-2.26.12.tgz
- socket.io-client-2.3.0.tgz
- engine.io-client-3.4.3.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.4.3.tgz
- socket.io-client-2.3.0.tgz
- browser-sync-ui-2.26.12.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
WS-2020-0443 (High) detected in socket.io-2.1.1.tgz
WS-2020-0443 - High Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-23364 (Medium) detected in browserslist-4.14.5.tgz
CVE-2021-23364 - Medium Severity Vulnerability
Vulnerable Library - browserslist-4.14.5.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- preset-env-7.11.5.tgz
- ❌ browserslist-4.14.5.tgz (Vulnerable Library)
- preset-env-7.11.5.tgz
Found in base branch: master
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28168 (Medium) detected in axios-0.19.0.tgz
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- localtunnel-2.0.0.tgz
- ❌ axios-0.19.0.tgz (Vulnerable Library)
- localtunnel-2.0.0.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
WS-2020-0208 (Medium) detected in highlight.js-10.2.0.tgz
WS-2020-0208 - Medium Severity Vulnerability
Vulnerable Library - highlight.js-10.2.0.tgz
Syntax highlighting with language autodetection.
Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-10.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/highlight.js/package.json
Dependency Hierarchy:
- ❌ highlight.js-10.2.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.
Publish Date: 2020-12-04
URL: WS-2020-0208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2020-36049 (High) detected in socket.io-parser-3.2.0.tgz, socket.io-parser-3.3.0.tgz
CVE-2020-36049 - High Severity Vulnerability
Vulnerable Libraries - socket.io-parser-3.2.0.tgz, socket.io-parser-3.3.0.tgz
socket.io-parser-3.2.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- socket.io-2.1.1.tgz
- ❌ socket.io-parser-3.2.0.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
- browser-sync-2.26.12.tgz
socket.io-parser-3.3.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io-parser/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- browser-sync-ui-2.26.12.tgz
- socket.io-client-2.3.0.tgz
- ❌ socket.io-parser-3.3.0.tgz (Vulnerable Library)
- socket.io-client-2.3.0.tgz
- browser-sync-ui-2.26.12.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-37599 (Medium) detected in loader-utils-1.4.0.tgz - autoclosed
CVE-2022-37599 - Medium Severity Vulnerability
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- sass-loader-7.3.1.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-24999 (High) detected in qs-6.2.3.tgz
CVE-2022-24999 - High Severity Vulnerability
Vulnerable Library - qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browser-sync/node_modules/qs/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- ❌ qs-6.2.3.tgz (Vulnerable Library)
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.2.4
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-27515 (Medium) detected in url-parse-1.4.7.tgz
CVE-2021-27515 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-43138 (High) detected in async-2.6.3.tgz
CVE-2021-43138 - High Severity Vulnerability
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- extract-text-webpack-plugin-4.0.0-beta.0.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- extract-text-webpack-plugin-4.0.0-beta.0.tgz
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (laravel-mix): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2022-37598 (High) detected in uglify-js-3.4.10.tgz
CVE-2022-37598 - High Severity Vulnerability
Vulnerable Library - uglify-js-3.4.10.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- html-loader-0.5.5.tgz
- html-minifier-3.5.21.tgz
- ❌ uglify-js-3.4.10.tgz (Vulnerable Library)
- html-minifier-3.5.21.tgz
- html-loader-0.5.5.tgz
Found in base branch: master
Vulnerability Details
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (laravel-mix): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- chokidar-2.1.8.tgz
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browser-sync/node_modules/glob-parent/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- chokidar-3.4.2.tgz
- ❌ glob-parent-5.1.1.tgz (Vulnerable Library)
- chokidar-3.4.2.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (laravel-mix): 6.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-0691 (Critical) detected in url-parse-1.4.7.tgz
CVE-2022-0691 - Critical Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-38900 (High) detected in decode-uri-component-0.2.0.tgz
CVE-2022-38900 - High Severity Vulnerability
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- chokidar-2.1.8.tgz
- braces-2.3.2.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.3.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- source-map-resolve-0.5.3.tgz
- snapdragon-0.8.2.tgz
- braces-2.3.2.tgz
- chokidar-2.1.8.tgz
Found in base branch: master
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.6.tgz
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2021-23434 (High) detected in object-path-0.9.2.tgz
CVE-2021-23434 - High Severity Vulnerability
Vulnerable Library - object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
- laravel-mix-jigsaw-1.3.0.tgz (Root Library)
- browser-sync-2.26.12.tgz
- eazy-logger-3.0.2.tgz
- tfunk-3.1.0.tgz
- ❌ object-path-0.9.2.tgz (Vulnerable Library)
- tfunk-3.1.0.tgz
- eazy-logger-3.0.2.tgz
- browser-sync-2.26.12.tgz
Found in base branch: master
Vulnerability Details
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (laravel-mix-jigsaw): 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-37603 (High) detected in loader-utils-1.4.0.tgz
CVE-2022-37603 - High Severity Vulnerability
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- sass-loader-7.3.1.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (sass-loader): 8.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24771 (High) detected in node-forge-0.10.0.tgz
CVE-2022-24771 - High Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- laravel-mix-4.1.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- selfsigned-1.10.8.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.8.tgz
- webpack-dev-server-3.11.0.tgz
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (laravel-mix): 6.0.40
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.