You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (25 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/uglify-js/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
html-loader-0.5.5.tgz
html-minifier-3.5.21.tgz
❌ uglify-js-3.4.10.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/ini/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
chokidar-2.1.8.tgz
fsevents-1.2.9.tgz
node-pre-gyp-0.12.0.tgz
rc-1.2.8.tgz
❌ ini-1.3.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/json5/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
core-7.6.2.tgz
❌ json5-2.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/async/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
extract-text-webpack-plugin-4.0.0-beta.0.tgz
❌ async-2.6.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/terser-webpack-plugin/node_modules/terser/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
terser-webpack-plugin-1.4.1.tgz
❌ terser-4.3.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/acorn/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-4.41.0.tgz
❌ acorn-6.3.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/normalize-url/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
optimize-css-assets-webpack-plugin-5.0.3.tgz
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-normalize-url-4.0.1.tgz
❌ normalize-url-3.3.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-dev-server-3.8.2.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-dev-server-3.8.2.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/http-proxy/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-dev-server-3.8.2.tgz
http-proxy-middleware-0.19.1.tgz
❌ http-proxy-1.18.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/postcss/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
autoprefixer-9.6.1.tgz
❌ postcss-7.0.18.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-dev-server-3.8.2.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/dot-prop/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
optimize-css-assets-webpack-plugin-5.0.3.tgz
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-merge-rules-4.0.3.tgz
postcss-selector-parser-3.1.1.tgz
❌ dot-prop-4.2.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-dev-server-3.8.2.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-notifier/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-notifier-1.8.0.tgz
❌ node-notifier-5.4.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/sockjs/package.json
Dependency Hierarchy:
laravel-mix-4.1.4.tgz (Root Library)
webpack-dev-server-3.8.2.tgz
❌ sockjs-0.3.19.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/serialize-javascript/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - uglify-js-3.4.10.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.10.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (laravel-mix): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/ini/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - eventsource-1.0.7.tgz
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/eventsource/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - json5-2.1.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.1.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The
parsemethod of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named__proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned byJSON5.parseand not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned fromJSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.JSON5.parseshould restrict parsing of__proto__keys when parsing JSON strings to objects. As a point of reference, theJSON.parsemethod included in JavaScript ignores__proto__keys. Simply changingJSON5.parsetoJSON.parsein the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/async/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - terser-3.17.0.tgz, terser-4.3.4.tgz
terser-3.17.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-3.17.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/terser/package.json
Dependency Hierarchy:
terser-4.3.4.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.3.4.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/terser-webpack-plugin/node_modules/terser/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (laravel-mix): 5.0.8
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (laravel-mix): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (laravel-mix): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - html-minifier-3.5.21.tgz
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/html-minifier/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - acorn-6.3.0.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.3.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/acorn/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called
node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfoASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed innode-forgeversion 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (laravel-mix): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called
node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed innode-forgeversion 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (laravel-mix): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - http-proxy-1.18.0.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/http-proxy/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - postcss-7.0.18.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.18.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/postcss/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (laravel-mix): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (laravel-mix): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (laravel-mix): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-notifier-5.4.3.tgz
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/node-notifier/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853
Release Date: 2020-12-11
Fix Resolution (node-notifier): 5.4.4
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution (serialize-javascript): 2.1.1
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - sockjs-0.3.19.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/sockjs/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /galaxyofdrones/package.json
Path to vulnerable library: /galaxyofdrones/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (laravel-mix): 5.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: