You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
ibm-mend-appbot
changed the title
cli-11.17.0.tgz: 23 vulnerabilities (highest severity is: 9.8)
cli-11.17.0.tgz: 23 vulnerabilities (highest severity is: 9.8) - autoclosed
Jun 17, 2024
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - cli-11.17.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/got-npm-9.6.0-80edc15fd0-fae3273b44.zip
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26136
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tough-cookie-npm-2.5.0-79a2fe43fe-024cb13a4d.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
CVE-2022-37598
Vulnerable Library - uglify-js-3.4.10.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/uglify-js-npm-3.4.10-026479e767-70b9f666c9.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: mishoo/UglifyJS#5699
Release Date: 2022-10-20
Fix Resolution: uglify-js - 3.13.10
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/json-schema-npm-0.2.3-018ee3dfc9-2f98d28db7.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
CVE-2021-25949
Vulnerable Library - set-getter-0.1.0.tgz
Create nested getter properties and any intermediary dot notation (`'a.b.c'`) paths
Library home page: https://registry.npmjs.org/set-getter/-/set-getter-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/set-getter-npm-0.1.0-9664f89372-00b9cd529b.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2021-06-10
URL: CVE-2021-25949
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: doowb/set-getter@66eb3f0
Release Date: 2021-06-10
Fix Resolution: set-getter - 0.1.1
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/braces-npm-3.0.2-782240b28a-966b1fb48d.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
The NPM package
braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Inlib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: micromatch/braces#37
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
CVE-2022-37620
Vulnerable Library - html-minifier-3.5.21.tgz
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/html-minifier-npm-3.5.21-5367304f07-8341f38d2c.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
CVSS 3 Score Details (7.5)
Base Score Metrics:
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/semver-npm-5.7.1-40bcea106b-fbc71cf007.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
CVE-2022-21681
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/marked-npm-0.6.3-1ee699f13e-aeefb8ed59.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression
inline.reflinkSearch
may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
CVE-2022-21680
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/marked-npm-0.6.3-1ee699f13e-aeefb8ed59.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression
block.def
may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
CVE-2021-43307
Vulnerable Library - semver-regex-1.0.0.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/semver-regex-npm-1.0.0-95aa99f4f8-17411400ee.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution: semver-regex - 3.1.4,4.0.3
CVE-2021-3807
Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz
ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/ansi-regex-npm-3.0.0-be0b845911-2ad11c416f.zip
Dependency Hierarchy:
ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/ansi-regex-npm-4.1.0-4a7d8413fe-97aa465953.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
CVE-2021-3795
Vulnerable Library - semver-regex-1.0.0.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/semver-regex-npm-1.0.0-95aa99f4f8-17411400ee.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/sindresorhus/semver-regex/releases/tag/v4.0.1
Release Date: 2021-09-15
Fix Resolution: semver-regex - 3.1.3,4.0.1
CVE-2021-33502
Vulnerable Library - normalize-url-4.5.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/normalize-url-npm-4.5.0-14a0c5430f-c70ee89880.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
CVE-2020-7753
Vulnerable Library - trim-0.0.1.tgz
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/trim-npm-0.0.1-d138075543-2b4646dff9.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: component/trim#8
Release Date: 2020-10-27
Fix Resolution: trim - 0.0.3
CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/glob-parent-npm-3.1.0-31416ad085-653d559237.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
CVE-2024-28863
Vulnerable Library - tar-6.1.15.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-6.1.15-44c3e71720-4848b92da8.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
WS-2017-3770
Vulnerable Library - autolinker-0.28.1.tgz
Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML
Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/autolinker-npm-0.28.1-dbe1de77b4-da915195b2.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Cross-site Scripting (XSS) vulnerability was found in autolinker before 3.14.0. User input passed to the innerHTML tags isn't sanitized.
Publish Date: 2017-02-15
URL: WS-2017-3770
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.14.0
Release Date: 2017-02-15
Fix Resolution: autolinker - 3.14.0
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/request-npm-2.88.2-f4a57c72c4-005b8b237b.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
WS-2020-0163
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/marked-npm-0.6.3-1ee699f13e-aeefb8ed59.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
WS-2019-0209
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/marked-npm-0.6.3-1ee699f13e-aeefb8ed59.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-07-04
URL: WS-2019-0209
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-07-04
Fix Resolution: 0.7.0
WS-2019-0540
Vulnerable Library - autolinker-0.28.1.tgz
Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML
Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/autolinker-npm-0.28.1-dbe1de77b4-da915195b2.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
Denial of Service (DoS) vulnerability was found in autolinker before 3.0.0. Unterminated img src causes long execution.
Publish Date: 2019-01-08
URL: WS-2019-0540
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.0.0
Release Date: 2019-01-08
Fix Resolution: autolinker - 3.0.0
CVE-2024-4067
Vulnerable Library - micromatch-4.0.5.tgz
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/micromatch-npm-4.0.5-cfab5d7669-a749888789.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
The NPM package
micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs inmicromatch.braces()
inindex.js
because the pattern.*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: micromatch/micromatch#249
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
CVE-2022-33987
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/got-npm-9.6.0-80edc15fd0-fae3273b44.zip
Dependency Hierarchy:
Found in HEAD commit: 1236034260fccc5dab327acc914ee359cce23cfe
Found in base branch: main
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
The text was updated successfully, but these errors were encountered: