Vulnerable Library - graphql-tools-7.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/knex/node_modules/lodash/package.json,/node_modules/@graphql-tools/resolvers-composition/node_modules/lodash/package.json,/node_modules/connect-session-knex/node_modules/lodash/package.json
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (graphql-tools version) |
Remediation Possible** |
CVE-2021-44906 |
Critical |
9.8 |
minimist-1.2.5.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2023-45133 |
Critical |
9.3 |
detected in multiple dependencies |
Transitive |
8.0.0 |
✅ |
CVE-2022-3517 |
High |
7.5 |
minimatch-3.0.4.tgz |
Transitive |
N/A* |
❌ |
CVE-2021-27292 |
High |
7.5 |
ua-parser-js-0.7.21.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2020-7793 |
High |
7.5 |
ua-parser-js-0.7.21.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2020-7733 |
High |
7.5 |
ua-parser-js-0.7.21.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2020-8203 |
High |
7.4 |
lodash-4.17.15.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2020-7774 |
High |
7.3 |
y18n-4.0.0.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2021-23337 |
High |
7.2 |
detected in multiple dependencies |
Transitive |
7.0.1 |
✅ |
CVE-2022-46175 |
High |
7.1 |
json5-2.1.2.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2021-23326 |
Medium |
6.3 |
git-loader-6.2.5.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2022-0235 |
Medium |
6.1 |
node-fetch-2.6.1.tgz |
Transitive |
8.0.0 |
✅ |
CVE-2024-4067 |
Medium |
5.3 |
micromatch-4.0.2.tgz |
Transitive |
N/A* |
❌ |
CVE-2022-25883 |
Medium |
5.3 |
semver-5.7.1.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2022-25858 |
Medium |
5.3 |
terser-5.3.4.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2021-23343 |
Medium |
5.3 |
path-parse-1.0.6.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2020-28500 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
7.0.1 |
✅ |
CVE-2020-28469 |
Medium |
5.3 |
glob-parent-5.1.1.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2024-6783 |
Medium |
4.8 |
vue-template-compiler-2.6.12.tgz |
Transitive |
N/A* |
❌ |
CVE-2017-16137 |
Low |
3.7 |
debug-4.1.1.tgz |
Transitive |
7.0.1 |
✅ |
CVE-2024-27088 |
Low |
0.0 |
es5-ext-0.10.51.tgz |
Transitive |
7.0.1 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/multer/node_modules/minimist/package.json,/node_modules/json5/node_modules/minimist/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- core-7.10.4.tgz
- json5-2.1.2.tgz
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-45133
Vulnerable Libraries - traverse-7.10.4.tgz, traverse-7.11.5.tgz
traverse-7.10.4.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.10.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- ❌ traverse-7.10.4.tgz (Vulnerable Library)
traverse-7.11.5.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.11.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@graphql-tools/graphql-tag-pluck/node_modules/@babel/traverse/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- graphql-tag-pluck-6.2.6.tgz
- ❌ traverse-7.11.5.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (graphql-tools): 8.0.0
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (graphql-tools): 8.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2021-27292
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- fbjs-1.0.0.tgz
- ❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7793
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- fbjs-1.0.0.tgz
- ❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7733
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- fbjs-1.0.0.tgz
- ❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-8203
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/types/node_modules/lodash/package.json,/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,/node_modules/@babel/generator/node_modules/lodash/package.json,/node_modules/ip-address/node_modules/lodash/package.json,/node_modules/relay-compiler/node_modules/lodash/package.json,/node_modules/passport-azure-ad/node_modules/lodash/package.json,/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,/node_modules/@babel/traverse/node_modules/lodash/package.json,/node_modules/request-promise-native/node_modules/lodash/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- types-7.6.1.tgz
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7774
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- yargs-15.3.1.tgz
- ❌ y18n-4.0.0.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23337
Vulnerable Libraries - lodash-4.17.15.tgz, lodash-4.17.20.tgz
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/types/node_modules/lodash/package.json,/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,/node_modules/@babel/generator/node_modules/lodash/package.json,/node_modules/ip-address/node_modules/lodash/package.json,/node_modules/relay-compiler/node_modules/lodash/package.json,/node_modules/passport-azure-ad/node_modules/lodash/package.json,/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,/node_modules/@babel/traverse/node_modules/lodash/package.json,/node_modules/request-promise-native/node_modules/lodash/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- types-7.6.1.tgz
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/knex/node_modules/lodash/package.json,/node_modules/@graphql-tools/resolvers-composition/node_modules/lodash/package.json,/node_modules/connect-session-knex/node_modules/lodash/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- resolvers-composition-6.2.5.tgz
- ❌ lodash-4.17.20.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (graphql-tools): 7.0.1
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-46175
Vulnerable Library - json5-2.1.2.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- core-7.10.4.tgz
- ❌ json5-2.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23326
Vulnerable Library - git-loader-6.2.5.tgz
A set of utils for faster development of GraphQL tools
Library home page: https://registry.npmjs.org/@graphql-tools/git-loader/-/git-loader-6.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@graphql-tools/git-loader/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- ❌ git-loader-6.2.5.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.
Publish Date: 2021-01-20
URL: CVE-2021-23326
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-20
Fix Resolution (@graphql-tools/git-loader): 6.2.6
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0235
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cross-fetch/node_modules/node-fetch/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- links-6.2.5.tgz
- cross-fetch-3.0.6.tgz
- ❌ node-fetch-2.6.1.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (graphql-tools): 8.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-4067
Vulnerable Library - micromatch-4.0.2.tgz
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- load-files-6.2.4.tgz
- globby-11.0.1.tgz
- fast-glob-3.2.2.tgz
- ❌ micromatch-4.0.2.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
The NPM package micromatch
prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.
Publish Date: 2024-05-13
URL: CVE-2024-4067
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: micromatch - 4.0.8
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/require_optional/node_modules/semver/package.json,/node_modules/@babel/core/node_modules/semver/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- core-7.10.4.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 5.7.2
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-25858
Vulnerable Library - terser-5.3.4.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@apollo/client/node_modules/terser/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- links-6.2.5.tgz
- apollo-upload-client-14.1.2.tgz
- client-3.2.2.tgz
- ❌ terser-5.3.4.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.14.2
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23343
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- core-7.10.4.tgz
- resolve-1.12.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28500
Vulnerable Libraries - lodash-4.17.15.tgz, lodash-4.17.20.tgz
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/types/node_modules/lodash/package.json,/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,/node_modules/@babel/generator/node_modules/lodash/package.json,/node_modules/ip-address/node_modules/lodash/package.json,/node_modules/relay-compiler/node_modules/lodash/package.json,/node_modules/passport-azure-ad/node_modules/lodash/package.json,/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,/node_modules/@babel/traverse/node_modules/lodash/package.json,/node_modules/request-promise-native/node_modules/lodash/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- types-7.6.1.tgz
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/knex/node_modules/lodash/package.json,/node_modules/@graphql-tools/resolvers-composition/node_modules/lodash/package.json,/node_modules/connect-session-knex/node_modules/lodash/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- resolvers-composition-6.2.5.tgz
- ❌ lodash-4.17.20.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (graphql-tools): 7.0.1
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28469
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- load-files-6.2.4.tgz
- globby-11.0.1.tgz
- fast-glob-3.2.2.tgz
- ❌ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-6783
Vulnerable Library - vue-template-compiler-2.6.12.tgz
template compiler for Vue 2.0
Library home page: https://registry.npmjs.org/vue-template-compiler/-/vue-template-compiler-2.6.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@graphql-tools/graphql-tag-pluck/node_modules/vue-template-compiler/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- graphql-tag-pluck-6.2.6.tgz
- ❌ vue-template-compiler-2.6.12.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass
or Object.prototype.staticStyle
to execute arbitrary JavaScript code.
Publish Date: 2024-07-23
URL: CVE-2024-6783
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2017-16137
Vulnerable Library - debug-4.1.1.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/debug/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- relay-operation-optimizer-6.2.5.tgz
- relay-compiler-10.0.1.tgz
- traverse-7.10.4.tgz
- ❌ debug-4.1.1.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-04-26
URL: CVE-2017-16137
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-gxpj-cx7g-858c
Release Date: 2018-04-26
Fix Resolution (debug): 4.3.1
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-27088
Vulnerable Library - es5-ext-0.10.51.tgz
ECMAScript extensions and shims
Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.51.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/es5-ext/package.json
Dependency Hierarchy:
- graphql-tools-7.0.0.tgz (Root Library)
- url-loader-6.3.1.tgz
- websocket-1.0.32.tgz
- ❌ es5-ext-0.10.51.tgz (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
Vulnerability Details
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy
or function#toStringTokens
may cause the script to stall. The vulnerability is patched in v0.10.63.
Publish Date: 2024-02-26
URL: CVE-2024-27088
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088
Release Date: 2024-02-26
Fix Resolution (es5-ext): 0.10.63
Direct dependency fix Resolution (graphql-tools): 7.0.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.