Vulnerable Library - apollo-fetch-0.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-fetch/node_modules/cross-fetch/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-1365

Vulnerable Library - cross-fetch-1.1.1.tgz

Universal WHATWG Fetch API for Node, Browsers and React Native

Library home page: https://registry.npmjs.org/cross-fetch/-/cross-fetch-1.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-fetch/node_modules/cross-fetch/package.json

Dependency Hierarchy:

• apollo-fetch-0.7.0.tgz (Root Library)
  • ❌ cross-fetch-1.1.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.

Publish Date: 2022-04-15

URL: CVE-2022-1365

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1365

Release Date: 2022-04-15

Fix Resolution: cross-fetch - 3.1.5

Vulnerable Library - cheerio-1.0.0-rc.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-select/node_modules/nth-check/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2021-3803

Vulnerable Library - nth-check-2.0.0.tgz

Parses and compiles CSS nth-checks to highly optimized functions.

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-select/node_modules/nth-check/package.json

Dependency Hierarchy:

• cheerio-1.0.0-rc.5.tgz (Root Library)
  • cheerio-select-tmp-0.1.1.tgz
    • css-select-3.1.2.tgz
      • ❌ nth-check-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (cheerio): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-33587

Vulnerable Library - css-what-4.0.0.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cheerio-select-tmp/node_modules/css-what/package.json,/node_modules/css-select/node_modules/css-what/package.json

Dependency Hierarchy:

• cheerio-1.0.0-rc.5.tgz (Root Library)
  • cheerio-select-tmp-0.1.1.tgz
    • ❌ css-what-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (cheerio): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - getos-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2021-43138

Vulnerable Library - async-3.2.0.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• getos-3.2.1.tgz (Root Library)
  • ❌ async-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Vulnerable Library - diff2html-3.1.14.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff2html/node_modules/highlight.js/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

WS-2020-0208

Vulnerable Library - highlight.js-10.2.1.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-10.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff2html/node_modules/highlight.js/package.json

Dependency Hierarchy:

• diff2html-3.1.14.tgz (Root Library)
  • ❌ highlight.js-10.2.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-04

Fix Resolution (highlight.js): 10.4.1

Direct dependency fix Resolution (diff2html): 3.1.15

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - markdown-it-11.0.1.tgz

Markdown-it - modern pluggable markdown parser.

Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/markdown-it/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-21670

Vulnerable Library - markdown-it-11.0.1.tgz

Markdown-it - modern pluggable markdown parser.

Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/markdown-it/package.json

Dependency Hierarchy:

• ❌ markdown-it-11.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.

Publish Date: 2022-01-10

URL: CVE-2022-21670

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vfc-qv3f-vr6c

Release Date: 2022-01-10

Fix Resolution: 12.3.2

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - passport-twitch-strategy-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server-env/node_modules/node-fetch/package.json,/node_modules/passport-twitch-strategy/node_modules/node-fetch/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server-env/node_modules/node-fetch/package.json,/node_modules/passport-twitch-strategy/node_modules/node-fetch/package.json

Dependency Hierarchy:

• passport-twitch-strategy-2.2.0.tgz (Root Library)
  • ❌ node-fetch-2.6.6.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Vulnerable Library - pg-pubsub-0.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pg-pubsub/node_modules/semver/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-25883

Vulnerable Library - semver-4.3.2.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-4.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pg-pubsub/node_modules/semver/package.json

Dependency Hierarchy:

• pg-pubsub-0.5.0.tgz (Root Library)
  • pg-7.18.1.tgz
    • ❌ semver-4.3.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (pg-pubsub): 0.6.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - apollo-server-2.25.2.tgz

Production ready GraphQL Server

Library home page: https://registry.npmjs.org/apollo-server/-/apollo-server-2.25.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

WS-2022-0331

Vulnerable Library - apollo-server-2.25.2.tgz

Production ready GraphQL Server

Library home page: https://registry.npmjs.org/apollo-server/-/apollo-server-2.25.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server/package.json

Dependency Hierarchy:

• ❌ apollo-server-2.25.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The graphql-upload library included in Apollo Server 2 2.0.0 and before 2.25.4 is vulnerable to CSRF mutations

Publish Date: 2022-10-12

URL: WS-2022-0331

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2p3c-p3qw-69r4

Release Date: 2022-10-12

Fix Resolution: 2.25.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-15256

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• apollo-server-2.25.2.tgz (Root Library)
  • apollo-server-core-2.25.3.tgz
    • graphql-upload-8-fork-8.1.3.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (apollo-server): 2.25.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24434

Vulnerable Library - dicer-0.3.0.tgz

A very fast streaming multipart parser for node.js

Library home page: https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@apollographql/graphql-upload-8-fork/node_modules/dicer/package.json

Dependency Hierarchy:

• apollo-server-2.25.2.tgz (Root Library)
  • apollo-server-core-2.25.3.tgz
    • graphql-upload-8-fork-8.1.3.tgz
      • busboy-0.3.1.tgz
        • ❌ dicer-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Publish Date: 2022-05-20

URL: CVE-2022-24434

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

CVE-2021-3805

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• apollo-server-2.25.2.tgz (Root Library)
  • apollo-server-core-2.25.3.tgz
    • graphql-upload-8-fork-8.1.3.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-17

URL: CVE-2021-3805

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/

Release Date: 2021-09-17

Fix Resolution (object-path): 0.11.8

Direct dependency fix Resolution (apollo-server): 2.25.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23434

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• apollo-server-2.25.2.tgz (Root Library)
  • apollo-server-core-2.25.3.tgz
    • graphql-upload-8-fork-8.1.3.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.

Publish Date: 2021-08-27

URL: CVE-2021-23434

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434

Release Date: 2021-08-27

Fix Resolution (object-path): 0.11.6

Direct dependency fix Resolution (apollo-server): 2.25.3

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - jsdom-16.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/ws/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2024-37890

Vulnerable Library - ws-7.2.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/ws/package.json

Dependency Hierarchy:

• jsdom-16.4.0.tgz (Root Library)
  • ❌ ws-7.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 7.5.10

Direct dependency fix Resolution (jsdom): 16.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• jsdom-16.4.0.tgz (Root Library)
  • request-2.88.2.tgz
    • ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (jsdom): 16.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26136

Vulnerable Library - tough-cookie-3.0.1.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• jsdom-16.4.0.tgz (Root Library)
  • ❌ tough-cookie-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (jsdom): 16.6.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-32640

Vulnerable Library - ws-7.2.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/ws/package.json

Dependency Hierarchy:

• jsdom-16.4.0.tgz (Root Library)
  • ❌ ws-7.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 7.4.6

Direct dependency fix Resolution (jsdom): 16.5.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - graphql-tools-7.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/knex/node_modules/lodash/package.json,/node_modules/@graphql-tools/resolvers-composition/node_modules/lodash/package.json,/node_modules/connect-session-knex/node_modules/lodash/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/multer/node_modules/minimist/package.json,/node_modules/json5/node_modules/minimist/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • core-7.10.4.tgz
        • json5-2.1.2.tgz
          • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-45133

Vulnerable Libraries - traverse-7.10.4.tgz, traverse-7.11.5.tgz

traverse-7.10.4.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.10.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/traverse/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • ❌ traverse-7.10.4.tgz (Vulnerable Library)

traverse-7.11.5.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.11.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@graphql-tools/graphql-tag-pluck/node_modules/@babel/traverse/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • graphql-tag-pluck-6.2.6.tgz
    • ❌ traverse-7.11.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (graphql-tools): 8.0.0

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (graphql-tools): 8.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • glob-7.1.4.tgz
        • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2021-27292

Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • fbjs-1.0.0.tgz
        • ❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292

Release Date: 2021-03-17

Fix Resolution (ua-parser-js): 0.7.24

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7793

Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • fbjs-1.0.0.tgz
        • ❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution (ua-parser-js): 0.7.23

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7733

Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • fbjs-1.0.0.tgz
        • ❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/types/node_modules/lodash/package.json,/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,/node_modules/@babel/generator/node_modules/lodash/package.json,/node_modules/ip-address/node_modules/lodash/package.json,/node_modules/relay-compiler/node_modules/lodash/package.json,/node_modules/passport-azure-ad/node_modules/lodash/package.json,/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,/node_modules/@babel/traverse/node_modules/lodash/package.json,/node_modules/request-promise-native/node_modules/lodash/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • types-7.6.1.tgz
        • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7774

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • yargs-15.3.1.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Libraries - lodash-4.17.15.tgz, lodash-4.17.20.tgz

lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/types/node_modules/lodash/package.json,/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,/node_modules/@babel/generator/node_modules/lodash/package.json,/node_modules/ip-address/node_modules/lodash/package.json,/node_modules/relay-compiler/node_modules/lodash/package.json,/node_modules/passport-azure-ad/node_modules/lodash/package.json,/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,/node_modules/@babel/traverse/node_modules/lodash/package.json,/node_modules/request-promise-native/node_modules/lodash/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • types-7.6.1.tgz
        • ❌ lodash-4.17.15.tgz (Vulnerable Library)

lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/knex/node_modules/lodash/package.json,/node_modules/@graphql-tools/resolvers-composition/node_modules/lodash/package.json,/node_modules/connect-session-knex/node_modules/lodash/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • resolvers-composition-6.2.5.tgz
    • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (graphql-tools): 7.0.1

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-46175

Vulnerable Library - json5-2.1.2.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • core-7.10.4.tgz
        • ❌ json5-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23326

Vulnerable Library - git-loader-6.2.5.tgz

A set of utils for faster development of GraphQL tools

Library home page: https://registry.npmjs.org/@graphql-tools/git-loader/-/git-loader-6.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@graphql-tools/git-loader/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • ❌ git-loader-6.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

Publish Date: 2021-01-20

URL: CVE-2021-23326

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-20

Fix Resolution (@graphql-tools/git-loader): 6.2.6

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cross-fetch/node_modules/node-fetch/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • links-6.2.5.tgz
    • cross-fetch-3.0.6.tgz
      • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (graphql-tools): 8.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-4067

Vulnerable Library - micromatch-4.0.2.tgz

Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • load-files-6.2.4.tgz
    • globby-11.0.1.tgz
      • fast-glob-3.2.2.tgz
        • ❌ micromatch-4.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.

Publish Date: 2024-05-13

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: micromatch - 4.0.8

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/require_optional/node_modules/semver/package.json,/node_modules/@babel/core/node_modules/semver/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • core-7.10.4.tgz
        • ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25858

Vulnerable Library - terser-5.3.4.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@apollo/client/node_modules/terser/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • links-6.2.5.tgz
    • apollo-upload-client-14.1.2.tgz
      • client-3.2.2.tgz
        • ❌ terser-5.3.4.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 5.14.2

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • core-7.10.4.tgz
        • resolve-1.12.0.tgz
          • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28500

Vulnerable Libraries - lodash-4.17.15.tgz, lodash-4.17.20.tgz

lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/types/node_modules/lodash/package.json,/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,/node_modules/@babel/generator/node_modules/lodash/package.json,/node_modules/ip-address/node_modules/lodash/package.json,/node_modules/relay-compiler/node_modules/lodash/package.json,/node_modules/passport-azure-ad/node_modules/lodash/package.json,/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,/node_modules/@babel/traverse/node_modules/lodash/package.json,/node_modules/request-promise-native/node_modules/lodash/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • types-7.6.1.tgz
        • ❌ lodash-4.17.15.tgz (Vulnerable Library)

lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/knex/node_modules/lodash/package.json,/node_modules/@graphql-tools/resolvers-composition/node_modules/lodash/package.json,/node_modules/connect-session-knex/node_modules/lodash/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • resolvers-composition-6.2.5.tgz
    • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (graphql-tools): 7.0.1

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28469

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • load-files-6.2.4.tgz
    • globby-11.0.1.tgz
      • fast-glob-3.2.2.tgz
        • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-6783

Vulnerable Library - vue-template-compiler-2.6.12.tgz

template compiler for Vue 2.0

Library home page: https://registry.npmjs.org/vue-template-compiler/-/vue-template-compiler-2.6.12.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@graphql-tools/graphql-tag-pluck/node_modules/vue-template-compiler/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • graphql-tag-pluck-6.2.6.tgz
    • ❌ vue-template-compiler-2.6.12.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code.

Publish Date: 2024-07-23

URL: CVE-2024-6783

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

CVE-2017-16137

Vulnerable Library - debug-4.1.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/debug/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • relay-operation-optimizer-6.2.5.tgz
    • relay-compiler-10.0.1.tgz
      • traverse-7.10.4.tgz
        • ❌ debug-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-04-26

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 4.3.1

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-27088

Vulnerable Library - es5-ext-0.10.51.tgz

ECMAScript extensions and shims

Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.51.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/es5-ext/package.json

Dependency Hierarchy:

• graphql-tools-7.0.0.tgz (Root Library)
  • url-loader-6.3.1.tgz
    • websocket-1.0.32.tgz
      • ❌ es5-ext-0.10.51.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy or function#toStringTokens may cause the script to stall. The vulnerability is patched in v0.10.63.

Publish Date: 2024-02-26

URL: CVE-2024-27088

CVSS 3 Score Details (0.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088

Release Date: 2024-02-26

Fix Resolution (es5-ext): 0.10.63

Direct dependency fix Resolution (graphql-tools): 7.0.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - passport-saml-3.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport-saml/node_modules/xml2js/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-37616

Vulnerable Library - xmldom-0.7.5.tgz

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@xmldom/xmldom/package.json

Dependency Hierarchy:

• passport-saml-3.2.4.tgz (Root Library)
  • xml-encryption-2.0.0.tgz
    • ❌ xmldom-0.7.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

Publish Date: 2022-10-11

URL: CVE-2022-37616

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37616

Release Date: 2022-10-11

Fix Resolution: @xmldom/xmldom - 0.8.3

CVE-2022-39353

Vulnerable Library - xmldom-0.7.5.tgz

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@xmldom/xmldom/package.json

Dependency Hierarchy:

• passport-saml-3.2.4.tgz (Root Library)
  • xml-encryption-2.0.0.tgz
    • ❌ xmldom-0.7.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.

Publish Date: 2022-11-02

URL: CVE-2022-39353

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-crh6-fp67-6883

Release Date: 2022-11-02

Fix Resolution: @xmldom/xmldom - 0.7.7,0.8.4

CVE-2023-0842

Vulnerable Library - xml2js-0.4.23.tgz

Simple XML to JavaScript object converter.

Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport-saml/node_modules/xml2js/package.json

Dependency Hierarchy:

• passport-saml-3.2.4.tgz (Root Library)
  • ❌ xml2js-0.4.23.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Publish Date: 2023-04-05

URL: CVE-2023-0842

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842

Release Date: 2023-04-05

Fix Resolution: xml2js - 0.5.0

Vulnerable Library - patch-package-8.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2024-4068

Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

• patch-package-8.0.0.tgz (Root Library)
  • find-yarn-workspace-root-2.0.0.tgz
    • micromatch-4.0.2.tgz
      • ❌ braces-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Vulnerable Library - file-type-15.0.1.tgz

Detect the file type of a Buffer/Uint8Array/ArrayBuffer

Library home page: https://registry.npmjs.org/file-type/-/file-type-15.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/file-type/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-36313

Vulnerable Library - file-type-15.0.1.tgz

Detect the file type of a Buffer/Uint8Array/ArrayBuffer

Library home page: https://registry.npmjs.org/file-type/-/file-type-15.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/file-type/package.json

Dependency Hierarchy:

• ❌ file-type-15.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

Publish Date: 2022-07-21

URL: CVE-2022-36313

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-21

Fix Resolution: 16.5.4

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - subscriptions-transport-ws-0.9.18.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2024-37890

Vulnerable Library - ws-5.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws/package.json

Dependency Hierarchy:

• subscriptions-transport-ws-0.9.18.tgz (Root Library)
  • ❌ ws-5.2.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (subscriptions-transport-ws): 0.9.19

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - multer-1.4.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dicer/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2022-24434

Vulnerable Library - dicer-0.2.5.tgz

A very fast streaming multipart parser for node.js

Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dicer/package.json

Dependency Hierarchy:

• multer-1.4.4.tgz (Root Library)
  • busboy-0.2.14.tgz
    • ❌ dicer-0.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Publish Date: 2022-05-20

URL: CVE-2022-24434

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - pug-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• pug-3.0.2.tgz (Root Library)
  • pug-filters-4.0.0.tgz
    • resolve-1.17.0.tgz
      • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2024-29041

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Dependency Hierarchy:

• ❌ express-4.18.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: 4.19.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-43800

Vulnerable Library - serve-static-1.15.0.tgz

Serve static files

Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serve-static/package.json

Dependency Hierarchy:

• express-4.18.2.tgz (Root Library)
  • ❌ serve-static-1.15.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

Publish Date: 2024-09-10

URL: CVE-2024-43800

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm22-4g7w-348p

Release Date: 2024-09-10

Fix Resolution: serve-static - 1.16.0,2.1.0

CVE-2024-43799

Vulnerable Library - send-0.18.0.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.18.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/node_modules/send/package.json

Dependency Hierarchy:

• express-4.18.2.tgz (Root Library)
  • ❌ send-0.18.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

Publish Date: 2024-09-10

URL: CVE-2024-43799

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6fv-jmcg-4jfg

Release Date: 2024-09-10

Fix Resolution: send - 0.19.0

CVE-2024-43796

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Dependency Hierarchy:

• ❌ express-4.18.2.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

Publish Date: 2024-09-10

URL: CVE-2024-43796

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-qw6h-vgh9-j6wx

Release Date: 2024-09-10

Fix Resolution: express - 4.20.0,5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - ssh2-1.11.0.tgz

SSH2 client and server modules written in pure JavaScript for node.js

Library home page: https://registry.npmjs.org/ssh2/-/ssh2-1.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssh2/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

CVE-2023-48795

Vulnerable Library - ssh2-1.11.0.tgz

SSH2 client and server modules written in pure JavaScript for node.js

Library home page: https://registry.npmjs.org/ssh2/-/ssh2-1.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssh2/package.json

Dependency Hierarchy:

• ❌ ssh2-1.11.0.tgz (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

Vulnerability Details

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Publish Date: 2023-12-18

URL: CVE-2023-48795

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None