Git Product home page Git Product logo

node-passwordless-login's Introduction

Implementing Passwordless Login Using the Nexmo Verify API

This repo contains the example code for our tutorial on using the Nexmo Verify API to authenticate a user by their mobile phone number. It is written in Node.js using the Express framework.

Installing your own version

Follow these steps to get your own version of this up and running:

git clone https://github.com/nexmo-community/node-passwordless-login.git
cd node-passwordless-login && npm install

Configuring the application

Once installed, copy the .env-example file to .env in the application's root directory. Enter your API key and secret from the Nexmo Developer Dashboard and also a name for your application which will appear on the home page and also in the from field of any SMS sent via the Verify API.

NEXMO_API_KEY=YOUR NEXMO API KEY
NEXMO_API_SECRET=YOUR NEXMO API SECRET
NEXMO_BRAND_NAME=UP TO 11 ALPHANUMERIC CHARACTERS

Running the application

You should then be able to run the app with npm start.

node-passwordless-login's People

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

node-passwordless-login's Issues

nexmo-2.4.0.tgz: 6 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - nexmo-2.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nexmo version) Remediation Available
CVE-2021-3918 High 9.8 json-schema-0.2.3.tgz Transitive 2.4.1
CVE-2022-23529 High 7.6 jsonwebtoken-8.4.0.tgz Transitive N/A*
CVE-2022-23540 Medium 6.4 jsonwebtoken-8.4.0.tgz Transitive N/A*
CVE-2022-23539 Medium 5.9 jsonwebtoken-8.4.0.tgz Transitive N/A*
CVE-2020-15366 Medium 5.6 ajv-6.6.1.tgz Transitive 2.4.1
CVE-2022-23541 Medium 5.0 jsonwebtoken-8.4.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • request-2.88.0.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (nexmo): 2.4.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-23529

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions <= 8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link of the jwt.verify() function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify() on a host that you control. This issue has been fixed, please update to version 9.0.0.

Publish Date: 2022-12-21

URL: CVE-2022-23529

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-27h2-hvpr-p74q

Release Date: 2022-12-21

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2020-15366

Vulnerable Library - ajv-6.6.1.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • request-2.88.0.tgz
      • har-validator-5.1.3.tgz
        • ajv-6.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (nexmo): 2.4.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

⛑️ Automatic Remediation is available for this issue.

pug-2.0.3.tgz: 6 vulnerabilities (highest severity is: 9.1) - autoclosed

Vulnerable Library - pug-2.0.3.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (pug version) Remediation Available
CVE-2019-10744 High 9.1 lodash-4.17.11.tgz Transitive 2.0.4
CVE-2021-21353 High 9.0 detected in multiple dependencies Direct 3.0.0-canary-1
CVE-2021-23343 High 7.5 path-parse-1.0.6.tgz Transitive 2.0.4
CVE-2020-8203 High 7.4 lodash-4.17.11.tgz Transitive 2.0.4
CVE-2021-23337 High 7.2 lodash-4.17.11.tgz Transitive 2.0.4
CVE-2020-28500 Medium 5.3 lodash-4.17.11.tgz Transitive 2.0.4

Details

CVE-2019-10744

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation is available for this issue

CVE-2021-21353

Vulnerable Libraries - pug-2.0.3.tgz, pug-code-gen-2.0.1.tgz

pug-2.0.3.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Vulnerable Library)

pug-code-gen-2.0.1.tgz

Default code-generator for pug. It generates HTML via a JavaScript template function.

Library home page: https://registry.npmjs.org/pug-code-gen/-/pug-code-gen-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug-code-gen/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-code-gen-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Publish Date: 2021-03-03

URL: CVE-2021-21353

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p493-635q-r6gr

Release Date: 2021-03-03

Fix Resolution (pug-code-gen): 2.0.3

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation is available for this issue

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • resolve-1.8.1.tgz
        • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation is available for this issue

CVE-2020-8203

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation is available for this issue

CVE-2021-23337

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation is available for this issue

CVE-2020-28500

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

body-parser-1.18.3.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - body-parser-1.18.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (body-parser version) Remediation Available
CVE-2022-24999 High 7.5 qs-6.5.2.tgz Transitive 1.19.0

Details

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • body-parser-1.18.3.tgz (Root Library)
    • qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 0b2f3b3be174bbf9facd61f644e49627d59aea49

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (body-parser): 1.19.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

pug-2.0.3.tgz: 6 vulnerabilities (highest severity is: 9.1)

Vulnerable Library - pug-2.0.3.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (pug version) Remediation Possible**
CVE-2019-10744 Critical 9.1 lodash-4.17.11.tgz Transitive 2.0.4
CVE-2021-21353 Critical 9.0 detected in multiple dependencies Direct 3.0.0-canary-1
CVE-2021-23343 High 7.5 path-parse-1.0.6.tgz Transitive 2.0.4
CVE-2020-8203 High 7.4 lodash-4.17.11.tgz Transitive 2.0.4
CVE-2021-23337 High 7.2 lodash-4.17.11.tgz Transitive 2.0.4
CVE-2020-28500 Medium 5.3 lodash-4.17.11.tgz Transitive 2.0.4

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-10744

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-21353

Vulnerable Libraries - pug-2.0.3.tgz, pug-code-gen-2.0.1.tgz

pug-2.0.3.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Vulnerable Library)

pug-code-gen-2.0.1.tgz

Default code-generator for pug. It generates HTML via a JavaScript template function.

Library home page: https://registry.npmjs.org/pug-code-gen/-/pug-code-gen-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug-code-gen/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-code-gen-2.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Publish Date: 2021-03-03

URL: CVE-2021-21353

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p493-635q-r6gr

Release Date: 2021-03-03

Fix Resolution (pug-code-gen): 3.0.0-canary-1

Direct dependency fix Resolution (pug): 3.0.0-canary-1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • resolve-1.8.1.tgz
        • path-parse-1.0.6.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28500

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (pug): 2.0.4

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

nexmo-2.4.0.tgz: 6 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - nexmo-2.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nexmo version) Remediation Possible**
CVE-2021-3918 Critical 9.8 json-schema-0.2.3.tgz Transitive 2.4.1
CVE-2022-23539 High 8.1 jsonwebtoken-8.4.0.tgz Transitive N/A*
CVE-2022-23540 High 7.6 jsonwebtoken-8.4.0.tgz Transitive N/A*
CVE-2022-23541 Medium 6.3 jsonwebtoken-8.4.0.tgz Transitive N/A*
CVE-2023-28155 Medium 6.1 request-2.88.0.tgz Transitive N/A*
CVE-2020-15366 Medium 5.6 ajv-6.6.1.tgz Transitive 2.4.1

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • request-2.88.0.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (nexmo): 2.4.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.4.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • jsonwebtoken-8.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2023-28155

Vulnerable Library - request-2.88.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • request-2.88.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-15366

Vulnerable Library - ajv-6.6.1.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

  • nexmo-2.4.0.tgz (Root Library)
    • request-2.88.0.tgz
      • har-validator-5.1.3.tgz
        • ajv-6.6.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (nexmo): 2.4.1

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

body-parser-1.18.3.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - body-parser-1.18.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (body-parser version) Remediation Possible**
CVE-2022-24999 High 7.5 qs-6.5.2.tgz Transitive 1.19.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • body-parser-1.18.3.tgz (Root Library)
    • qs-6.5.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (body-parser): 1.19.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.