You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2017-0421
Vulnerable Library - ws-2.3.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Vulnerable Library - gemini-api-2.0.4.tgz
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2017-0421
Vulnerable Library - ws-2.3.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-2.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
Vulnerability Details
Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2017-11-08
Fix Resolution: 3.3.1
CVE-2019-10742
Vulnerable Library - axios-0.16.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.16.2.tgz
Dependency Hierarchy:
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
Vulnerability Details
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-07
Fix Resolution: 0.19.0
CVE-2020-28168
Vulnerable Library - axios-0.16.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.16.2.tgz
Dependency Hierarchy:
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution: axios - 0.21.1
The text was updated successfully, but these errors were encountered: