You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/scripts/bench/package.json
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
react-scripts-1.0.11.tgz (Root Library)
webpack-dev-server-2.7.1.tgz
sockjs-client-1.1.4.tgz
eventsource-0.1.6.tgz
original-1.0.0.tgz
❌ url-parse-1.0.5.tgz (Vulnerable Library)
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
react-scripts-1.0.11.tgz (Root Library)
webpack-dev-server-2.7.1.tgz
sockjs-client-1.1.4.tgz
eventsource-0.1.6.tgz
original-1.0.0.tgz
❌ url-parse-1.0.5.tgz (Vulnerable Library)
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/scripts/bench/package.json
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 71 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 72 vulnerabilities (highest severity is: 9.8)
Mar 18, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 72 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 69 vulnerabilities (highest severity is: 9.8)
Mar 23, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 69 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
Mar 31, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 73 vulnerabilities (highest severity is: 9.8)
Apr 18, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 73 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
Apr 22, 2024
Vulnerable Library - react-scripts-1.0.11.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26136
Vulnerable Library - tough-cookie-2.3.2.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/scripts/bench/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-37598
Vulnerable Library - uglify-js-3.7.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.3.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (react-scripts): 3.3.1
Step up your Open Source Security Game with Mend here
CVE-2022-0691
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.0.12
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2021-23383
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2021-23369
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2020-28499
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Publish Date: 2021-02-18
URL: CVE-2020-28499
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (react-scripts): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-6342
Vulnerable Library - react-dev-utils-3.1.1.tgz
Webpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-3.1.1.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
Publish Date: 2018-12-31
URL: CVE-2018-6342
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342
Release Date: 2018-12-31
Fix Resolution (react-dev-utils): 3.1.2
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2018-3774
Vulnerable Libraries - url-parse-1.1.9.tgz, url-parse-1.0.5.tgz
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Publish Date: 2018-08-12
URL: CVE-2018-3774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774
Release Date: 2018-08-12
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2018-13797
Vulnerable Library - macaddress-0.2.8.tgz
Get the MAC addresses (hardware addresses) of the hosts network interfaces.
Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Publish Date: 2018-07-10
URL: CVE-2018-13797
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797
Release Date: 2022-10-03
Fix Resolution (macaddress): 0.2.9
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2022-0686
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (react-scripts): 1.0.12
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2019-10744
Vulnerable Library - lodash.template-4.4.0.tgz
The lodash method `_.template` exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2019-0063
Vulnerable Library - js-yaml-3.9.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-13822
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2020-0450
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Publish Date: 2020-01-09
URL: WS-2020-0450
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-09
Fix Resolution (handlebars): 4.6.0
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2020-0091
Vulnerable Library - http-proxy-1.16.2.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/scripts/bench/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2019-0541
Vulnerable Library - macaddress-0.2.8.tgz
Get the MAC addresses (hardware addresses) of the hosts network interfaces.
Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Arbitrary File Read vulnerability was found in macaddress before 0.4.3.
Publish Date: 2019-08-20
URL: WS-2019-0541
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution (macaddress): 0.4.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: