Issues:

Regular Expression Denial of Service (ReDoS)

Vulnerable module: acorn
Introduced through: [email protected]
Exploit maturity: No known exploit
Fixed in: 5.7.4, 6.4.1, 7.1.1
Detailed paths

Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer acorn than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview

acorn is a tiny, fast JavaScript parser written in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via a regex in the form of /[x-\ud800]/u, which causes the parser to enter an infinite loop.

This string is not a valid UTF16 and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to acorn, will allow attackers to leverage the vulnerability leading to a Denial of Service.

Cross-site Scripting (XSS)

Vulnerable module: serialize-javascript
Introduced through: [email protected]
Exploit maturity: No known exploit
Fixed in: 2.1.1
Detailed paths

Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer serialize-javascript than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer serialize-javascript than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer serialize-javascript than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview

serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

Prototype Pollution

Vulnerable module: dot-prop
Introduced through: [email protected]
Exploit maturity: Proof of concept
Fixed in: 5.1.1
Detailed paths

Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer dot-prop than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer dot-prop than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer dot-prop than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview

dot-prop is a package to get, set, or delete a property from a nested object using a dot path.

Affected versions of this package are vulnerable to Prototype Pollution. It is possible for a user to modify the prototype of a base object.

Timing Attack

Vulnerable module: elliptic
Introduced through: [email protected]
Exploit maturity: No known exploit
Fixed in: 6.5.2
Detailed paths

Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer elliptic than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer elliptic than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview

elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation.

Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of bit-length of a scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

Prototype Pollution

Vulnerable module: minimist
Introduced through: [email protected]
Exploit maturity: Proof of concept
Fixed in: 0.2.1, 1.2.3
Detailed paths

Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer minimist than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer minimist than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer minimist than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
…and 34 more
Overview

minimist is a parse argument options module.

Affected versions of this package are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload.

Information Exposure

Vulnerable module: kind-of
Introduced through: [email protected]
Exploit maturity: Proof of concept
Fixed in: 6.0.3
Detailed paths

Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer kind-of than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › @vuepress/[email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer kind-of than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: [email protected] › [email protected] › @vuepress/[email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Your dependencies are out of date, otherwise you would be using a newer kind-of than [email protected]. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
…and 560 more
Vulnerable Functions

index.ctorName

Overview

kind-of is a package that gets the native type of a value.

Affected versions of this package are vulnerable to Information Exposure. It leverages the built-in constructor of unsafe user-input to detect type information. However, a crafted payload can overwrite this built in attribute to manipulate the type detection result.