You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to vulnerable library: /node_modules/recursive-readdir/node_modules/minimatch/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
react-dev-utils-4.2.3.tgz
recursive-readdir-2.2.1.tgz
❌ minimatch-3.0.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
css-loader-0.28.4.tgz
cssnano-3.10.0.tgz
postcss-normalize-url-3.0.8.tgz
❌ normalize-url-1.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
sw-precache-webpack-plugin-0.11.4.tgz
sw-precache-5.2.1.tgz
meow-3.7.0.tgz
❌ trim-newlines-1.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
css-loader-0.28.4.tgz
cssnano-3.10.0.tgz
postcss-svgo-2.1.6.tgz
❌ is-svg-2.1.0.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Path to vulnerable library: /node_modules/postcss-zindex/node_modules/postcss/package.json,/node_modules/postcss-discard-overridden/node_modules/postcss/package.json,/node_modules/postcss-reduce-idents/node_modules/postcss/package.json,/node_modules/cssnano/node_modules/postcss/package.json,/node_modules/postcss-reduce-initial/node_modules/postcss/package.json,/node_modules/postcss-reduce-transforms/node_modules/postcss/package.json,/node_modules/postcss-minify-params/node_modules/postcss/package.json,/node_modules/postcss-normalize-charset/node_modules/postcss/package.json,/node_modules/postcss-svgo/node_modules/postcss/package.json,/node_modules/postcss-merge-rules/node_modules/postcss/package.json,/node_modules/postcss-calc/node_modules/postcss/package.json,/node_modules/postcss-minify-gradients/node_modules/postcss/package.json,/node_modules/postcss-filter-plugins/node_modules/postcss/package.json,/node_modules/postcss-discard-comments/node_modules/postcss/package.json,/node_modules/postcss-unique-selectors/node_modules/postcss/package.json,/node_modules/postcss-convert-values/node_modules/postcss/package.json,/node_modules/postcss-merge-idents/node_modules/postcss/package.json,/node_modules/postcss-normalize-url/node_modules/postcss/package.json,/node_modules/postcss-discard-unused/node_modules/postcss/package.json,/node_modules/css-loader/node_modules/postcss/package.json,/node_modules/postcss-colormin/node_modules/postcss/package.json,/node_modules/postcss-ordered-values/node_modules/postcss/package.json,/node_modules/postcss-discard-empty/node_modules/postcss/package.json,/node_modules/postcss-discard-duplicates/node_modules/postcss/package.json,/node_modules/postcss-minify-font-values/node_modules/postcss/package.json,/node_modules/postcss-merge-longhand/node_modules/postcss/package.json,/node_modules/postcss-minify-selectors/node_modules/postcss/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
css-loader-0.28.4.tgz
❌ postcss-5.2.18.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
WS-2020-0218
Vulnerable Library - merge-1.2.1.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to vulnerable library: /node_modules/merge/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
jest-20.0.4.tgz
jest-cli-20.0.4.tgz
jest-haste-map-20.0.5.tgz
sane-1.6.0.tgz
exec-sh-0.2.2.tgz
❌ merge-1.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Path to vulnerable library: /node_modules/svgo/node_modules/js-yaml/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
css-loader-0.28.4.tgz
cssnano-3.10.0.tgz
postcss-svgo-2.1.6.tgz
svgo-0.7.2.tgz
❌ js-yaml-3.7.0.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
jest-20.0.4.tgz
jest-cli-20.0.4.tgz
jest-environment-jsdom-20.0.3.tgz
jsdom-9.12.0.tgz
❌ request-2.88.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
extract-text-webpack-plugin-3.0.0.tgz
schema-utils-0.3.0.tgz
❌ ajv-5.5.2.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Path to vulnerable library: /node_modules/react-dev-utils/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
❌ react-dev-utils-4.2.3.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Path to vulnerable library: /node_modules/sockjs/package.json
Dependency Hierarchy:
react-scripts-1.0.13.tgz (Root Library)
webpack-dev-server-2.7.1.tgz
❌ sockjs-0.3.18.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.
dev-mend-for-github-combot
changed the title
react-scripts-1.0.13.tgz: 19 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.13.tgz: 19 vulnerabilities (highest severity is: 9.8) reachable
Oct 17, 2023
dev-mend-for-github-combot
changed the title
react-scripts-1.0.13.tgz: 19 vulnerabilities (highest severity is: 9.8) reachable
react-scripts-1.0.13.tgz: 19 vulnerabilities (highest severity is: 9.8)
Oct 17, 2023
dev-mend-for-github-combot
changed the title
react-scripts-1.0.13.tgz: 19 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.13.tgz: 20 vulnerabilities (highest severity is: 9.8) reachable
Nov 17, 2023
dev-mend-for-github-combot
changed the title
react-scripts-1.0.13.tgz: 20 vulnerabilities (highest severity is: 9.8) reachable
react-scripts-1.0.13.tgz: 21 vulnerabilities (highest severity is: 9.8) reachable
Dec 7, 2023
dev-mend-for-github-combot
changed the title
react-scripts-1.0.13.tgz: 21 vulnerabilities (highest severity is: 9.8) reachable
react-scripts-1.0.13.tgz: 23 vulnerabilities (highest severity is: 9.8) reachable
Dec 14, 2023
Vulnerable Library - react-scripts-1.0.13.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/react-dev-utils/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-28499
Vulnerable Library - merge-1.2.1.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Publish Date: 2021-02-18
URL: CVE-2020-28499
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1666
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.1
Direct dependency fix Resolution (react-scripts): 3.0.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0063
Vulnerable Library - js-yaml-3.7.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/svgo/node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-37620
Vulnerable Library - html-minifier-3.5.21.tgz
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/html-minifier/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
CVSS 3 Score Details (7.5)
Base Score Metrics:
CVE-2022-3517
Vulnerable Library - minimatch-3.0.3.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/recursive-readdir/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2021-33502
Vulnerable Library - normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-33623
Vulnerable Library - trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (react-scripts): 2.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-28092
Vulnerable Library - is-svg-2.1.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-2.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
WS-2021-0152
Vulnerable Library - color-string-0.3.0.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23382
Vulnerable Libraries - postcss-6.0.23.tgz, postcss-5.2.18.tgz
postcss-6.0.23.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
postcss-5.2.18.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-zindex/node_modules/postcss/package.json,/node_modules/postcss-discard-overridden/node_modules/postcss/package.json,/node_modules/postcss-reduce-idents/node_modules/postcss/package.json,/node_modules/cssnano/node_modules/postcss/package.json,/node_modules/postcss-reduce-initial/node_modules/postcss/package.json,/node_modules/postcss-reduce-transforms/node_modules/postcss/package.json,/node_modules/postcss-minify-params/node_modules/postcss/package.json,/node_modules/postcss-normalize-charset/node_modules/postcss/package.json,/node_modules/postcss-svgo/node_modules/postcss/package.json,/node_modules/postcss-merge-rules/node_modules/postcss/package.json,/node_modules/postcss-calc/node_modules/postcss/package.json,/node_modules/postcss-minify-gradients/node_modules/postcss/package.json,/node_modules/postcss-filter-plugins/node_modules/postcss/package.json,/node_modules/postcss-discard-comments/node_modules/postcss/package.json,/node_modules/postcss-unique-selectors/node_modules/postcss/package.json,/node_modules/postcss-convert-values/node_modules/postcss/package.json,/node_modules/postcss-merge-idents/node_modules/postcss/package.json,/node_modules/postcss-normalize-url/node_modules/postcss/package.json,/node_modules/postcss-discard-unused/node_modules/postcss/package.json,/node_modules/css-loader/node_modules/postcss/package.json,/node_modules/postcss-colormin/node_modules/postcss/package.json,/node_modules/postcss-ordered-values/node_modules/postcss/package.json,/node_modules/postcss-discard-empty/node_modules/postcss/package.json,/node_modules/postcss-discard-duplicates/node_modules/postcss/package.json,/node_modules/postcss-minify-font-values/node_modules/postcss/package.json,/node_modules/postcss-merge-longhand/node_modules/postcss/package.json,/node_modules/postcss-minify-selectors/node_modules/postcss/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (react-scripts): 3.0.0
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (react-scripts): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2018-14732
Vulnerable Library - webpack-dev-server-2.7.1.tgz
Serves a webpack app. Updates the browser on changes.
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-dev-server/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.
Publish Date: 2018-09-21
URL: CVE-2018-14732
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14732
Release Date: 2018-09-21
Fix Resolution (webpack-dev-server): 3.1.6
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
WS-2020-0218
Vulnerable Library - merge-1.2.1.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2020-10-09
URL: WS-2020-0218
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-10-09
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (react-scripts): 3.0.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0032
Vulnerable Library - js-yaml-3.7.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/svgo/node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
CVE-2020-15366
Vulnerable Library - ajv-5.5.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-24033
Vulnerable Library - react-dev-utils-4.2.3.tgz
Webpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-4.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/react-dev-utils/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Publish Date: 2021-03-09
URL: CVE-2021-24033
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.facebook.com/security/advisories/cve-2021-24033
Release Date: 2021-03-09
Fix Resolution (react-dev-utils): 11.0.4
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7693
Vulnerable Library - sockjs-0.3.18.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.18.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sockjs/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (react-scripts): 3.4.2
In order to enable automatic remediation, please create workflow rules
WS-2018-0347
Vulnerable Library - eslint-4.4.1.tgz
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eslint/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
A vulnerability was descovered in eslint before 4.18.2. One of the regexes in eslint is vulnerable to catastrophic backtracking.
Publish Date: 2018-02-27
URL: WS-2018-0347
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-02-27
Fix Resolution (eslint): 4.18.2
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-33987
Vulnerable Library - got-6.7.1.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (react-scripts): 2.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2020-7608
Vulnerable Libraries - yargs-parser-7.0.0.tgz, yargs-parser-4.2.1.tgz
yargs-parser-7.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack/node_modules/yargs-parser/package.json
Dependency Hierarchy:
yargs-parser-4.2.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (react-scripts): 3.4.2
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (react-scripts): 3.4.2
In order to enable automatic remediation, please create workflow rules
WS-2021-0154
Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz
glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
WS-2017-3757
Vulnerable Library - content-type-parser-1.0.2.tgz
Parse the value of the Content-Type header
Library home page: https://registry.npmjs.org/content-type-parser/-/content-type-parser-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/content-type-parser/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.
Publish Date: 2017-12-10
URL: WS-2017-3757
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2017-12-10
Fix Resolution: v2.0.0
WS-2019-0307
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mem/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.
Publish Date: 2018-08-27
URL: WS-2019-0307
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2018-08-27
Fix Resolution (mem): 4.0.0
Direct dependency fix Resolution (react-scripts): 2.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2017-16138
Vulnerable Library - mime-1.3.6.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (5.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (react-scripts): 1.0.15
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: