Vulnerable Library - cli-2.11.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/package.json
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (cli version) |
Remediation Available |
CVE-2022-35949 |
Critical |
9.8 |
undici-5.5.1.tgz |
Transitive |
N/A* |
❌ |
CVE-2022-23539 |
High |
8.1 |
jsonwebtoken-8.5.1.tgz |
Transitive |
2.11.2 |
✅ |
CVE-2022-23540 |
High |
7.6 |
jsonwebtoken-8.5.1.tgz |
Transitive |
2.11.2 |
✅ |
CVE-2023-24807 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
2.11.2 |
✅ |
CVE-2022-31151 |
Medium |
6.5 |
undici-5.5.1.tgz |
Transitive |
2.11.2 |
✅ |
CVE-2022-31150 |
Medium |
6.5 |
undici-5.5.1.tgz |
Transitive |
2.11.2 |
✅ |
CVE-2022-23541 |
Medium |
6.3 |
jsonwebtoken-8.5.1.tgz |
Transitive |
2.11.2 |
✅ |
CVE-2023-23936 |
Medium |
5.4 |
detected in multiple dependencies |
Transitive |
2.11.2 |
✅ |
CVE-2022-35948 |
Medium |
5.3 |
undici-5.5.1.tgz |
Transitive |
2.11.2 |
✅ |
CVE-2022-25883 |
Medium |
5.3 |
semver-5.7.1.tgz |
Transitive |
2.11.2 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-35949
Vulnerable Library - undici-5.5.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- fetch-0.0.2.tgz
- ❌ undici-5.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
undici is an HTTP/1.1 client, written from scratch for Node.js.undici
is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname
option of undici.request
. If a user specifies a URL such as http://127.0.0.1
or //127.0.0.1
js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})
Instead of processing the request as http://example.org//127.0.0.1
(or http://example.org/http://127.0.0.1
when http://127.0.0.1 is used
), it actually processes the request as http://127.0.0.1/
and sends it to http://127.0.0.1
. If a developer passes in user input into path
parameter of undici.request
, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in [email protected]
. The best workaround is to validate user input before passing it to the undici.request
call.
Publish Date: 2022-08-12
URL: CVE-2022-35949
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949
Release Date: 2022-08-12
Fix Resolution: undici - 5.8.2
CVE-2022-23539
Vulnerable Library - jsonwebtoken-8.5.1.tgz
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- prisma-loader-7.2.14.tgz
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions <=8.5.1
of jsonwebtoken
library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes
option to true
in the sign()
and/or verify()
functions.
Publish Date: 2022-12-23
URL: CVE-2022-23539
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8cf7-32gw-wr33
Release Date: 2022-12-23
Fix Resolution (jsonwebtoken): 9.0.0
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-23540
Vulnerable Library - jsonwebtoken-8.5.1.tgz
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- prisma-loader-7.2.14.tgz
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In versions <=8.5.1
of jsonwebtoken
library, lack of algorithm definition in the jwt.verify()
function can lead to signature validation bypass due to defaulting to the none
algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify()
function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify()
method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none
algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify()
options.
Publish Date: 2022-12-22
URL: CVE-2022-23540
CVSS 3 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540
Release Date: 2022-12-22
Fix Resolution (jsonwebtoken): 9.0.0
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2023-24807
Vulnerable Libraries - undici-5.5.1.tgz, undici-5.8.2.tgz
undici-5.5.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- fetch-0.0.2.tgz
- ❌ undici-5.5.1.tgz (Vulnerable Library)
undici-5.8.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@graphql-codegen/cli/node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- apollo-engine-loader-7.3.9.tgz
- fetch-0.2.9.tgz
- ❌ undici-5.8.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set()
and Headers.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize()
utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Publish Date: 2023-02-16
URL: CVE-2023-24807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6ch-mqf9-qc9w
Release Date: 2023-02-16
Fix Resolution (undici): 5.19.1
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
Fix Resolution (undici): 5.19.1
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-31151
Vulnerable Library - undici-5.5.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- fetch-0.0.2.tgz
- ❌ undici-5.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0
(the default).
Publish Date: 2022-07-21
URL: CVE-2022-31151
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q768-x9m6-m9qp
Release Date: 2022-07-21
Fix Resolution (undici): 5.8.0
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-31150
Vulnerable Library - undici-5.5.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- fetch-0.0.2.tgz
- ❌ undici-5.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n
is a workaround for this issue.
Publish Date: 2022-07-19
URL: CVE-2022-31150
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150
Release Date: 2022-07-19
Fix Resolution (undici): 5.8.0
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-23541
Vulnerable Library - jsonwebtoken-8.5.1.tgz
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- prisma-loader-7.2.14.tgz
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1
of jsonwebtoken
library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey
argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.
Publish Date: 2022-12-22
URL: CVE-2022-23541
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hjrf-2m68-5959
Release Date: 2022-12-22
Fix Resolution (jsonwebtoken): 9.0.0
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2023-23936
Vulnerable Libraries - undici-5.5.1.tgz, undici-5.8.2.tgz
undici-5.5.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- fetch-0.0.2.tgz
- ❌ undici-5.5.1.tgz (Vulnerable Library)
undici-5.8.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@graphql-codegen/cli/node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- apollo-engine-loader-7.3.9.tgz
- fetch-0.2.9.tgz
- ❌ undici-5.8.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host
HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host
string before passing to undici.
Publish Date: 2023-02-16
URL: CVE-2023-23936
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5r9g-qh6m-jxff
Release Date: 2023-02-16
Fix Resolution (undici): 5.19.1
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
Fix Resolution (undici): 5.19.1
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-35948
Vulnerable Library - undici-5.5.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- fetch-0.0.2.tgz
- ❌ undici-5.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected]
users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type
header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, })
The above snippet will perform two requests in a single request
API call: 1) http://localhost:3000/
2) http://localhost:3000/foo2
This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
Publish Date: 2022-08-15
URL: CVE-2022-35948
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948
Release Date: 2022-08-15
Fix Resolution (undici): 5.8.2
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/node_modules/semver/package.json
Dependency Hierarchy:
- cli-2.11.1.tgz (Root Library)
- prisma-loader-7.2.14.tgz
- jsonwebtoken-8.5.1.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.