-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
parcel-bundler-1.10.3.tgz: 38 vulnerabilities (highest severity is: 9.9) #5
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
label
Mar 15, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 26 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 29 vulnerabilities (highest severity is: 9.9)
Mar 21, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 29 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 30 vulnerabilities (highest severity is: 9.9)
Mar 23, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 30 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 29 vulnerabilities (highest severity is: 9.9)
Mar 29, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 29 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 31 vulnerabilities (highest severity is: 9.9)
Jun 30, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 31 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 32 vulnerabilities (highest severity is: 9.9)
Jul 18, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 32 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 33 vulnerabilities (highest severity is: 9.9)
Oct 1, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 33 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 32 vulnerabilities (highest severity is: 9.9)
Nov 28, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 32 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 33 vulnerabilities (highest severity is: 9.9)
Dec 2, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 33 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 34 vulnerabilities (highest severity is: 9.9)
Dec 26, 2022
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 34 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 35 vulnerabilities (highest severity is: 9.9)
Dec 7, 2023
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 35 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 36 vulnerabilities (highest severity is: 9.9)
Dec 15, 2023
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 36 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 37 vulnerabilities (highest severity is: 9.9)
Mar 5, 2024
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 37 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 36 vulnerabilities (highest severity is: 9.9)
Mar 21, 2024
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 36 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 37 vulnerabilities (highest severity is: 9.9)
Mar 31, 2024
mend-bolt-for-github
bot
changed the title
parcel-bundler-1.10.3.tgz: 37 vulnerabilities (highest severity is: 9.9)
parcel-bundler-1.10.3.tgz: 38 vulnerabilities (highest severity is: 9.9)
May 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
0 participants
Vulnerable Library - parcel-bundler-1.10.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10760
Vulnerable Library - safer-eval-1.2.3.tgz
a safer eval
Library home page: https://registry.npmjs.org/safer-eval/-/safer-eval-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/safer-eval/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
Publish Date: 2019-10-15
URL: CVE-2019-10760
CVSS 3 Score Details (9.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/787/versions
Release Date: 2019-10-15
Fix Resolution (safer-eval): 1.3.2
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2019-10759
Vulnerable Library - safer-eval-1.2.3.tgz
a safer eval
Library home page: https://registry.npmjs.org/safer-eval/-/safer-eval-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/safer-eval/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
Publish Date: 2019-10-15
URL: CVE-2019-10759
CVSS 3 Score Details (9.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1021
Release Date: 2019-10-15
Fix Resolution (safer-eval): 1.3.4
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2021-23440
Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2019-10769
Vulnerable Library - safer-eval-1.2.3.tgz
a safer eval
Library home page: https://registry.npmjs.org/safer-eval/-/safer-eval-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/safer-eval/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
Publish Date: 2019-12-06
URL: CVE-2019-10769
CVSS 3 Score Details (9.8)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2019-10747
Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2019-10746
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2023-45133
Vulnerable Library - traverse-7.1.6.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Babel is a compiler for writingJavaScript. In
@babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions ofbabel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on thepath.evaluate()
orpath.evaluateTruthy()
internal Babel methods. Known affected plugins are@babel/plugin-transform-runtime
;@babel/preset-env
when using itsuseBuiltIns
option; and any "polyfill provider" plugin that depends on@babel/helper-define-polyfill-provider
, such asbabel-plugin-polyfill-corejs3
,babel-plugin-polyfill-corejs2
,babel-plugin-polyfill-es-shims
,babel-plugin-polyfill-regenerator
. No other plugins under the@babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in@babel/traverse@7.23.2
and@babel/traverse@8.0.0-alpha.4
. Those who cannot upgrade@babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverse
versions:@babel/plugin-transform-runtime
v7.23.2,@babel/preset-env
v7.23.2,@babel/helper-define-polyfill-provider
v0.4.3,babel-plugin-polyfill-corejs2
v0.4.6,babel-plugin-polyfill-corejs3
v0.8.5,babel-plugin-polyfill-es-shims
v0.10.0,babel-plugin-polyfill-regenerator
v0.5.3.Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-46175
Vulnerable Libraries - json5-2.1.0.tgz, json5-1.0.1.tgz
json5-2.1.0.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/node_modules/json5/package.json
Dependency Hierarchy:
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parcel-bundler/node_modules/json5/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The
parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named__proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned byJSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned fromJSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.JSON5.parse
should restrict parsing of__proto__
keys when parsing JSON strings to objects. As a point of reference, theJSON.parse
method included in JavaScript ignores__proto__
keys. Simply changingJSON5.parse
toJSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
WS-2019-0063
Vulnerable Libraries - js-yaml-3.7.0.tgz, js-yaml-3.12.0.tgz
js-yaml-3.7.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/htmlnano/node_modules/js-yaml/package.json
Dependency Hierarchy:
js-yaml-3.12.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Step up your Open Source Security Game with Mend here
WS-2021-0152
Vulnerable Libraries - color-string-1.5.3.tgz, color-string-0.3.0.tgz
color-string-1.5.3.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
color-string-0.3.0.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/colormin/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Step up your Open Source Security Game with Mend here
WS-2019-0032
Vulnerable Libraries - js-yaml-3.7.0.tgz, js-yaml-3.12.0.tgz
js-yaml-3.7.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/htmlnano/node_modules/js-yaml/package.json
Dependency Hierarchy:
js-yaml-3.12.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-46234
Vulnerable Library - browserify-sign-4.0.4.tgz
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserify-sign/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in
dsaVerify
function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.Publish Date: 2023-10-26
URL: CVE-2023-46234
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution (browserify-sign): 4.2.2
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-25858
Vulnerable Library - terser-3.10.13.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-3.10.13.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution: terser - 4.8.1,5.14.2
Step up your Open Source Security Game with Mend here
CVE-2022-24772
Vulnerable Library - node-forge-0.7.6.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-24771
Vulnerable Library - node-forge-0.7.6.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-21222
Vulnerable Library - css-what-2.1.2.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
Publish Date: 2022-09-30
URL: CVE-2022-21222
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21222
Release Date: 2022-09-30
Fix Resolution (css-what): 2.1.3
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2021-3807
Vulnerable Library - ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jest/node_modules/ansi-regex/package.json,/node_modules/string-width/node_modules/ansi-regex/package.json,/node_modules/ora/node_modules/ansi-regex/package.json,/node_modules/pretty-format/node_modules/ansi-regex/package.json,/node_modules/string-length/node_modules/ansi-regex/package.json,/node_modules/cliui/node_modules/ansi-regex/package.json,/node_modules/parcel-bundler/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (parcel-bundler): 1.11.0
Step up your Open Source Security Game with Mend here
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-29059
Vulnerable Libraries - is-svg-2.1.0.tgz, is-svg-3.0.0.tgz
is-svg-2.1.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-2.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/htmlnano/node_modules/is-svg/package.json
Dependency Hierarchy:
is-svg-3.0.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: db86b1df738243752f2df78e8b4de14d0886d804
Found in base branch: master
Vulnerability Details
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (parcel-bundler): 1.12.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: