Vulnerable Library - react-scripts-1.0.17.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/packaging/systemjs-builder/prod/node_modules/es5-ext/package.json,/fixtures/packaging/systemjs-builder/dev/node_modules/es5-ext/package.json,/fixtures/expiration/node_modules/es5-ext/package.json
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Vulnerabilities
| CVE |
Severity |
 CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (react-scripts version) |
Remediation Possible** |
Reachability |
| CVE-2023-42282 |
 Critical |
9.8 |
Not Defined |
0.1% |
ip-1.1.5.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2023-26136 |
Critical |
9.8 |
Not Defined |
0.1% |
tough-cookie-2.3.3.tgz |
Transitive |
4.0.0 |
❌ |
|
| CVE-2022-37601 |
Critical |
9.8 |
Not Defined |
0.70000005% |
detected in multiple dependencies |
Transitive |
4.0.0 |
✅ |
|
| CVE-2022-37598 |
Critical |
9.8 |
Not Defined |
0.5% |
uglify-js-3.7.3.tgz |
Transitive |
3.3.1 |
❌ |
|
| CVE-2022-0691 |
Critical |
9.8 |
Not Defined |
0.3% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-44906 |
Critical |
9.8 |
Not Defined |
1.2% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-42740 |
Critical |
9.8 |
Not Defined |
0.2% |
shell-quote-1.6.1.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2021-3918 |
Critical |
9.8 |
Not Defined |
0.4% |
json-schema-0.2.3.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-23383 |
Critical |
9.8 |
Not Defined |
3.3% |
handlebars-4.5.3.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-23369 |
Critical |
9.8 |
Not Defined |
14.900001% |
handlebars-4.5.3.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-7788 |
Critical |
9.8 |
Not Defined |
1.2% |
ini-1.3.4.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-28499 |
Critical |
9.8 |
Not Defined |
0.4% |
merge-1.2.0.tgz |
Transitive |
3.0.0 |
❌ |
|
| CVE-2018-6342 |
Critical |
9.8 |
Not Defined |
0.2% |
react-dev-utils-4.2.1.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2018-3774 |
Critical |
9.8 |
Not Defined |
0.3% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2018-16492 |
Critical |
9.8 |
Not Defined |
0.4% |
extend-3.0.1.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2018-13797 |
Critical |
9.8 |
Not Defined |
0.3% |
macaddress-0.2.8.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2018-1000620 |
Critical |
9.8 |
Not Defined |
0.2% |
cryptiles-3.1.2.tgz |
Transitive |
1.1.1 |
✅ |
|
| CVE-2022-1650 |
Critical |
9.3 |
Not Defined |
0.2% |
eventsource-0.1.6.tgz |
Transitive |
2.1.3 |
✅ |
|
| CVE-2022-0686 |
Critical |
9.1 |
Not Defined |
0.2% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2019-10744 |
Critical |
9.1 |
Not Defined |
1.5% |
lodash.template-4.4.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2023-45133 |
 High |
8.8 |
Not Defined |
0.1% |
babel-traverse-6.26.0.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2022-46175 |
High |
8.8 |
Not Defined |
0.6% |
json5-0.5.1.tgz |
Transitive |
3.0.0 |
✅ |
|
| WS-2019-0063 |
High |
8.1 |
Not Defined |
|
detected in multiple dependencies |
Transitive |
2.0.0 |
✅ |
|
| CVE-2021-43138 |
High |
7.8 |
Not Defined |
0.1% |
async-2.6.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-13822 |
High |
7.7 |
Not Defined |
0.4% |
elliptic-6.4.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| WS-2021-0152 |
High |
7.5 |
Not Defined |
|
color-string-0.3.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| WS-2020-0450 |
High |
7.5 |
Not Defined |
|
handlebars-4.5.3.tgz |
Transitive |
1.1.0 |
✅ |
|
| WS-2019-0541 |
High |
7.5 |
Not Defined |
|
macaddress-0.2.8.tgz |
Transitive |
1.1.0 |
❌ |
|
| WS-2019-0032 |
High |
7.5 |
Not Defined |
|
detected in multiple dependencies |
Transitive |
2.0.0 |
✅ |
|
| CVE-2024-4068 |
High |
7.5 |
Not Defined |
0.0% |
braces-1.8.5.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2022-37620 |
High |
7.5 |
Not Defined |
0.1% |
html-minifier-3.5.6.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2022-37603 |
High |
7.5 |
Not Defined |
0.6% |
loader-utils-1.1.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-3517 |
High |
7.5 |
Not Defined |
0.2% |
minimatch-3.0.3.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2022-29167 |
High |
7.5 |
Not Defined |
0.1% |
hawk-6.0.2.tgz |
Transitive |
1.1.1 |
✅ |
|
| CVE-2022-24999 |
High |
7.5 |
Not Defined |
0.9% |
qs-6.5.1.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-24772 |
High |
7.5 |
Not Defined |
0.1% |
node-forge-0.6.33.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2022-24771 |
High |
7.5 |
Not Defined |
0.1% |
node-forge-0.6.33.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2021-3803 |
High |
7.5 |
Not Defined |
0.2% |
nth-check-1.0.1.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2021-3777 |
High |
7.5 |
Not Defined |
0.1% |
tmpl-1.0.4.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-33623 |
High |
7.5 |
Not Defined |
0.2% |
trim-newlines-1.0.0.tgz |
Transitive |
2.0.1 |
❌ |
|
| CVE-2021-29059 |
High |
7.5 |
Not Defined |
0.4% |
is-svg-2.1.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| CVE-2021-28092 |
High |
7.5 |
Not Defined |
0.2% |
is-svg-2.1.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| CVE-2021-27516 |
High |
7.5 |
Not Defined |
0.2% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-23424 |
High |
7.5 |
Not Defined |
0.2% |
ansi-html-0.0.7.tgz |
Transitive |
5.0.0 |
❌ |
|
| CVE-2021-23382 |
High |
7.5 |
Not Defined |
0.2% |
detected in multiple dependencies |
Transitive |
3.0.0 |
✅ |
|
| CVE-2021-23343 |
High |
7.5 |
Not Defined |
0.3% |
path-parse-1.0.5.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-7662 |
High |
7.5 |
Not Defined |
0.2% |
websocket-extensions-0.1.3.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-28469 |
High |
7.5 |
Not Defined |
1.2% |
glob-parent-2.0.0.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2018-3737 |
High |
7.5 |
Not Defined |
0.2% |
sshpk-1.13.1.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2018-16469 |
High |
7.5 |
Not Defined |
0.1% |
merge-1.2.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2018-14732 |
High |
7.5 |
Not Defined |
0.3% |
webpack-dev-server-2.9.4.tgz |
Transitive |
2.0.0 |
✅ |
|
| WS-2018-0588 |
High |
7.4 |
Not Defined |
|
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-8116 |
High |
7.3 |
Not Defined |
0.2% |
dot-prop-3.0.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2020-7720 |
High |
7.3 |
Not Defined |
0.2% |
node-forge-0.6.33.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2018-3750 |
High |
7.3 |
Not Defined |
0.3% |
deep-extend-0.4.2.tgz |
Transitive |
1.1.0 |
✅ |
|
| WS-2018-0590 |
High |
7.1 |
Not Defined |
|
diff-3.4.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-28498 |
 Medium |
6.8 |
Not Defined |
0.1% |
elliptic-6.4.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| WS-2022-0008 |
Medium |
6.6 |
Not Defined |
|
node-forge-0.6.33.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2022-0613 |
Medium |
6.5 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2021-23386 |
Medium |
6.5 |
Not Defined |
0.1% |
dns-packet-1.2.2.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2020-26291 |
Medium |
6.5 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2018-21270 |
Medium |
6.5 |
Not Defined |
0.2% |
stringstream-0.0.5.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2024-29041 |
Medium |
6.1 |
Not Defined |
0.0% |
express-4.16.2.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2023-28155 |
Medium |
6.1 |
Not Defined |
0.1% |
request-2.83.0.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2022-1243 |
Medium |
6.1 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-1233 |
Medium |
6.1 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-0868 |
Medium |
6.1 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-0122 |
Medium |
6.1 |
Not Defined |
0.1% |
node-forge-0.6.33.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2021-3647 |
Medium |
6.1 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| WS-2019-0427 |
Medium |
5.9 |
Not Defined |
|
elliptic-6.4.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| WS-2019-0424 |
Medium |
5.9 |
Not Defined |
|
elliptic-6.4.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2021-24033 |
Medium |
5.6 |
Not Defined |
0.2% |
react-dev-utils-4.2.1.tgz |
Transitive |
4.0.0 |
✅ |
|
| CVE-2020-7789 |
Medium |
5.6 |
Not Defined |
0.2% |
node-notifier-5.1.2.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-7598 |
Medium |
5.6 |
Not Defined |
0.1% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-15366 |
Medium |
5.6 |
Not Defined |
0.3% |
ajv-5.3.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| CVE-2024-29415 |
Medium |
5.5 |
Not Defined |
|
ip-1.1.5.tgz |
Transitive |
N/A* |
❌ |
|
| WS-2019-0017 |
Medium |
5.3 |
Not Defined |
|
clean-css-4.1.9.tgz |
Transitive |
1.1.0 |
✅ |
|
| WS-2018-0347 |
Medium |
5.3 |
Not Defined |
|
eslint-4.10.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| WS-2017-3757 |
Medium |
5.3 |
Not Defined |
|
content-type-parser-1.0.2.tgz |
Transitive |
N/A* |
❌ |
|
| CVE-2024-4067 |
Medium |
5.3 |
Not Defined |
0.0% |
micromatch-2.3.11.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2022-33987 |
Medium |
5.3 |
Not Defined |
0.1% |
got-5.7.1.tgz |
Transitive |
2.0.1 |
❌ |
|
| CVE-2022-24773 |
Medium |
5.3 |
Not Defined |
0.1% |
node-forge-0.6.33.tgz |
Transitive |
5.0.0 |
✅ |
|
| CVE-2022-24723 |
Medium |
5.3 |
Not Defined |
0.1% |
urijs-1.19.0.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-0639 |
Medium |
5.3 |
Not Defined |
0.1% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2022-0512 |
Medium |
5.3 |
Not Defined |
0.1% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-3664 |
Medium |
5.3 |
Not Defined |
0.1% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-29060 |
Medium |
5.3 |
Not Defined |
0.2% |
color-string-0.3.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| CVE-2021-27515 |
Medium |
5.3 |
Not Defined |
0.2% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2021-23362 |
Medium |
5.3 |
Not Defined |
0.3% |
hosted-git-info-2.5.0.tgz |
Transitive |
1.1.0 |
❌ |
|
| CVE-2020-8124 |
Medium |
5.3 |
Not Defined |
0.1% |
detected in multiple dependencies |
Transitive |
1.1.0 |
✅ |
|
| CVE-2020-7693 |
Medium |
5.3 |
Not Defined |
0.6% |
sockjs-0.3.18.tgz |
Transitive |
3.4.2 |
✅ |
|
| CVE-2020-7608 |
Medium |
5.3 |
Not Defined |
0.0% |
detected in multiple dependencies |
Transitive |
2.0.0 |
✅ |
|
| CVE-2017-16028 |
Medium |
5.3 |
Not Defined |
0.1% |
randomatic-1.1.7.tgz |
Transitive |
1.1.0 |
✅ |
|
| WS-2019-0307 |
Medium |
5.1 |
Not Defined |
|
mem-1.1.0.tgz |
Transitive |
2.0.0 |
✅ |
|
| WS-2018-0103 |
Medium |
4.8 |
Not Defined |
|
stringstream-0.0.5.tgz |
Transitive |
1.1.0 |
✅ |
|
| WS-2018-0589 |
 Low |
3.7 |
Not Defined |
|
nwmatcher-1.4.3.tgz |
Transitive |
1.1.0 |
✅ |
|
| CVE-2024-27088 |
Low |
0.0 |
Not Defined |
0.0% |
es5-ext-0.10.35.tgz |
Transitive |
1.1.0 |
✅ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (12 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2023-42282
Vulnerable Library - ip-1.1.5.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- webpack-dev-server-2.9.4.tgz
- ❌ ip-1.1.5.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (react-scripts): 1.1.0
CVE-2023-26136
Vulnerable Library - tough-cookie-2.3.3.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.3.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-environment-jsdom-20.0.3.tgz
- jsdom-9.12.0.tgz
- ❌ tough-cookie-2.3.3.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (react-scripts): 4.0.0
CVE-2022-37601
Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz
loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack/dev/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/dev/node_modules/loader-utils/package.json,/fixtures/expiration/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/fixtures/concurrent/time-slicing/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- html-webpack-plugin-2.29.0.tgz
- ❌ loader-utils-0.2.17.tgz (Vulnerable Library)
loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/loader-utils/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- webpack-3.8.1.tgz
- ❌ loader-utils-1.1.0.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-37598
Vulnerable Library - uglify-js-3.7.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.3.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- handlebars-4.5.3.tgz
- ❌ uglify-js-3.7.3.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (react-scripts): 3.3.1
CVE-2022-0691
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/original/node_modules/url-parse/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- sockjs-client-1.1.4.tgz
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
url-parse-1.2.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/url-parse/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- sockjs-client-1.1.4.tgz
- ❌ url-parse-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-44906
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- babel-loader-7.1.2.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- handlebars-4.5.3.tgz
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /fixtures/packaging/browserify/dev/package.json
Path to vulnerable library: /fixtures/packaging/browserify/dev/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/packaging/browserify/prod/node_modules/minimist/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- postcss-loader-2.0.8.tgz
- postcss-load-config-1.2.0.tgz
- cosmiconfig-2.2.2.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-42740
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/shell-quote/package.json,/node_modules/fx-runner/node_modules/shell-quote/package.json,/fixtures/concurrent/time-slicing/node_modules/shell-quote/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- ❌ shell-quote-1.6.1.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/prod/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/prod/package.json,/scripts/bench/node_modules/json-schema/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/expiration/node_modules/json-schema/package.json,/fixtures/packaging/webpack/prod/package.json,/fixtures/concurrent/time-slicing/node_modules/json-schema/package.json,/node_modules/json-schema/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-environment-jsdom-20.0.3.tgz
- jsdom-9.12.0.tgz
- request-2.83.0.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23383
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- ❌ handlebars-4.5.3.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23369
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- ❌ handlebars-4.5.3.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 14.900001%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7788
Vulnerable Library - ini-1.3.4.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/dev/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/dev/package.json,/scripts/bench/node_modules/ini/package.json,/fixtures/expiration/node_modules/ini/package.json,/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- sw-precache-webpack-plugin-0.11.4.tgz
- sw-precache-5.2.0.tgz
- update-notifier-1.0.3.tgz
- latest-version-2.0.0.tgz
- package-json-2.4.0.tgz
- registry-auth-token-3.3.1.tgz
- rc-1.2.2.tgz
- ❌ ini-1.3.4.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-28499
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-haste-map-20.0.5.tgz
- sane-1.6.0.tgz
- exec-sh-0.2.1.tgz
- ❌ merge-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.
Publish Date: 2021-02-18
URL: CVE-2020-28499
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (react-scripts): 3.0.0
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/packaging/systemjs-builder/prod/node_modules/es5-ext/package.json,/fixtures/packaging/systemjs-builder/dev/node_modules/es5-ext/package.json,/fixtures/expiration/node_modules/es5-ext/package.json
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - ip-1.1.5.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Vulnerable Library - tough-cookie-2.3.3.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.3.tgz
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (react-scripts): 4.0.0
Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz
loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack/dev/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/dev/node_modules/loader-utils/package.json,/fixtures/expiration/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/fixtures/concurrent/time-slicing/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/loader-utils/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - uglify-js-3.7.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (react-scripts): 3.3.1
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/original/node_modules/url-parse/package.json
Dependency Hierarchy:
url-parse-1.2.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Dependency Hierarchy:
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /fixtures/packaging/browserify/dev/package.json
Path to vulnerable library: /fixtures/packaging/browserify/dev/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/packaging/browserify/prod/node_modules/minimist/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/shell-quote/package.json,/node_modules/fx-runner/node_modules/shell-quote/package.json,/fixtures/concurrent/time-slicing/node_modules/shell-quote/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/prod/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/prod/package.json,/scripts/bench/node_modules/json-schema/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/expiration/node_modules/json-schema/package.json,/fixtures/packaging/webpack/prod/package.json,/fixtures/concurrent/time-slicing/node_modules/json-schema/package.json,/node_modules/json-schema/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 14.900001%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - ini-1.3.4.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/dev/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/dev/package.json,/scripts/bench/node_modules/ini/package.json,/fixtures/expiration/node_modules/ini/package.json,/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.
Publish Date: 2021-02-18
URL: CVE-2020-28499
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (react-scripts): 3.0.0
In order to enable automatic remediation for this issue, please create workflow rules