noahbjohnson / electron-foundation Goto Github PK
View Code? Open in Web Editor NEWAn opinionated boilerplate for electron prototype apps
License: MIT License
An opinionated boilerplate for electron prototype apps
License: MIT License
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-8.0.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/ssri
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
Release Date: 2021-03-12
Fix Resolution: ssri - 6.0.2,8.0.1
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694
Release Date: 2018-06-04
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.
Publish Date: 2019-11-06
URL: CVE-2019-18797
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18797
Release Date: 2019-11-06
Fix Resolution: LibSass - 3.6.3
Step up your Open Source Security Game with WhiteSource here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/path-parse
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.7.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/browserslist
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697
Release Date: 2019-09-01
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex
Dependency Hierarchy:
Found in base branch: master
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/sindresorhus/semver-regex/releases/tag/v4.0.1
Release Date: 2021-09-15
Fix Resolution: semver-regex - 3.1.3,4.0.1
Step up your Open Source Security Game with WhiteSource here
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.3.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/css-what
Dependency Hierarchy:
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/css-what
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with WhiteSource here
Library home page: https://metacpan.org/pod/CSS::Sass
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
electron-foundation/node_modules/node-sass/src/libsass/src/utf8/checked.h
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839
Release Date: 2018-12-04
Fix Resolution: Libsass:3.6.0
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821
Release Date: 2019-04-23
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/node-notifier
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789
Release Date: 2020-12-11
Fix Resolution: 9.0.0
Step up your Open Source Security Game with WhiteSource here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/url-parse
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution: 1.5.0
Step up your Open Source Security Game with WhiteSource here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/ws
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/ws
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/hosted-git-info
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist
CVE | Severity | CVSS | Dependency | Type | Fixed in (eslint-plugin-compat version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2021-23364 | Medium | 5.3 | browserslist-4.14.7.tgz | Transitive | 3.9.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist
Dependency Hierarchy:
Found in base branch: master
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (eslint-plugin-compat): 3.9.0
Step up your Open Source Security Game with Mend here
Library home page: https://metacpan.org/pod/CSS::Sass
Found in base branch: master
In sass versions between 3.2.0 to 3.6.3 may read 1 byte outside an allocated buffer while parsing a specially crafted css rule.
Publish Date: 2019-07-16
URL: WS-2019-0605
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/OSV-2020-734
Release Date: 2019-07-16
Fix Resolution: 3.6.4
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/elliptic
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: v6.5.4
Step up your Open Source Security Game with WhiteSource here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
Step up your Open Source Security Game with WhiteSource here
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/ini
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution: url-parse - 1.5.2
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex
CVE | Severity | CVSS | Dependency | Type | Fixed in (husky version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2021-43307 | High | 7.5 | semver-regex-2.0.0.tgz | Transitive | 4.3.7 | ❌ |
CVE-2021-3795 | High | 7.5 | semver-regex-2.0.0.tgz | Transitive | 4.3.7 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex
Dependency Hierarchy:
Found in base branch: master
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
Base Score Metrics:
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (husky): 4.3.7
Step up your Open Source Security Game with Mend here
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex
Dependency Hierarchy:
Found in base branch: master
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (husky): 4.3.7
Step up your Open Source Security Game with Mend here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6284
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg
Dependency Hierarchy:
Found in base branch: master
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
Release Date: 2021-06-21
Fix Resolution: is-svg - 4.3.0
Step up your Open Source Security Game with WhiteSource here
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/trim-newlines
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797
Release Date: 2018-12-03
Fix Resolution: libsass-3.6.0
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent
CVE | Severity | CVSS | Dependency | Type | Fixed in (eslint-plugin version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2020-28469 | High | 7.5 | glob-parent-5.1.1.tgz | Transitive | 4.8.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@typescript-eslint/eslint-plugin): 4.8.2
Step up your Open Source Security Game with Mend here
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.1.7.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/postcss
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/postcss
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190
Release Date: 2018-12-17
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent
Dependency Hierarchy:
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.1.7.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/postcss
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/postcss
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution: postcss - 8.2.13
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20822
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0;node-sass - 4.13.1
Step up your Open Source Security Game with WhiteSource here
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/is-svg
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution: v4.2.2
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
Base Score Metrics:
Type: Upgrade version
Origin: sass/libsass#2660
Release Date: 2018-12-04
Fix Resolution: libsass - 3.6.1
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution: node-forge - 1.0.0
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
CVE | Severity | CVSS | Dependency | Type | Fixed in (webpack-dev-server version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-42282 | Critical | 9.8 | ip-1.1.5.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-0691 | Critical | 9.8 | url-parse-1.4.7.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-1650 | Critical | 9.3 | eventsource-1.0.7.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-0686 | Critical | 9.1 | url-parse-1.4.7.tgz | Transitive | 3.11.1 | ❌ |
CVE-2021-43138 | High | 7.8 | async-2.6.3.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-24772 | High | 7.5 | node-forge-0.10.0.tgz | Transitive | 4.7.3 | ❌ |
CVE-2022-24771 | High | 7.5 | node-forge-0.10.0.tgz | Transitive | 4.7.3 | ❌ |
CVE-2020-28469 | High | 7.5 | glob-parent-3.1.0.tgz | Transitive | 4.0.0 | ❌ |
WS-2022-0008 | Medium | 6.6 | node-forge-0.10.0.tgz | Transitive | 4.7.3 | ❌ |
CVE-2022-0155 | Medium | 6.5 | follow-redirects-1.13.0.tgz | Transitive | 3.11.1 | ❌ |
CVE-2021-23386 | Medium | 6.5 | dns-packet-1.3.1.tgz | Transitive | 3.11.1 | ❌ |
CVE-2023-26159 | Medium | 6.1 | follow-redirects-1.13.0.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-0122 | Medium | 6.1 | node-forge-0.10.0.tgz | Transitive | 4.7.3 | ❌ |
CVE-2022-0536 | Medium | 5.9 | follow-redirects-1.13.0.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-24773 | Medium | 5.3 | node-forge-0.10.0.tgz | Transitive | 4.7.3 | ❌ |
CVE-2022-0639 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 3.11.1 | ❌ |
CVE-2022-0512 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 3.11.1 | ❌ |
CVE-2021-3664 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 3.11.1 | ❌ |
CVE-2021-32640 | Medium | 5.3 | ws-6.2.1.tgz | Transitive | 3.11.1 | ❌ |
CVE-2021-27515 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 3.11.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ip
Dependency Hierarchy:
Found in base branch: master
An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource
Dependency Hierarchy:
Found in base branch: master
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async
Dependency Hierarchy:
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack-dev-server): 4.0.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy:
Found in base branch: master
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
An abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dns-packet
Dependency Hierarchy:
Found in base branch: master
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy:
Found in base branch: master
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy:
Found in base branch: master
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws
Dependency Hierarchy:
Found in base branch: master
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy:
Found in base branch: master
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/electron
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue.
Publish Date: 2021-01-28
URL: CVE-2020-26272
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26272
Release Date: 2021-01-28
Fix Resolution: electron - 9.4.0,10.2.0,11.1.0,12.0.0-beta.9
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish Date: 2018-05-26
URL: CVE-2018-11499
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
Release Date: 2018-05-26
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.16.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid
Dependency Hierarchy:
Found in base branch: master
The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23566
Release Date: 2022-01-14
Fix Resolution: nanoid - 3.1.31
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
Base Score Metrics:
Type: Upgrade version
Origin: sass/libsass#2784
Release Date: 2019-08-29
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df
Found in base branch: master
electron-foundation/node_modules/node-sass/src/libsass/src/sass_context.cpp
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-11698
Release Date: 2018-06-04
Fix Resolution: Libsass-3.6.0
Step up your Open Source Security Game with WhiteSource here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /electron-foundation/node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling contextIsolation
in one's app. One may also disable the functionality of the createThumbnailFromPath
API if one does not need it.
Publish Date: 2021-10-12
URL: CVE-2021-39184
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mpjm-v997-c4h4
Release Date: 2021-10-12
Fix Resolution: 11.5.0
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/lodash
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/lodash
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/y18n
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with WhiteSource here
An abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/dns-packet
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution: dns-packet - 5.2.2
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-notifier
CVE | Severity | CVSS | Dependency | Type | Fixed in (jest version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-26136 | Critical | 9.8 | tough-cookie-3.0.1.tgz | Transitive | 27.0.0 | ❌ |
CVE-2023-26115 | High | 7.5 | word-wrap-1.2.3.tgz | Transitive | N/A* | ❌ |
CVE-2021-3777 | High | 7.5 | tmpl-1.0.4.tgz | Transitive | 27.0.0 | ❌ |
CVE-2020-7789 | Medium | 5.6 | node-notifier-8.0.0.tgz | Transitive | 27.0.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie
Dependency Hierarchy:
Found in base branch: master
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/word-wrap
Dependency Hierarchy:
Found in base branch: master
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution: word-wrap - 1.2.4
Step up your Open Source Security Game with Mend here
JavaScript micro templates.
Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tmpl
Dependency Hierarchy:
Found in base branch: master
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3777
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (tmpl): 1.0.5
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-notifier
Dependency Hierarchy:
Found in base branch: master
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853
Release Date: 2020-12-11
Fix Resolution (node-notifier): 8.0.1
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/normalize-url
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: electron-foundation/package.json
Path to vulnerable library: electron-foundation/node_modules/normalize-url
Dependency Hierarchy:
Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092
Found in base branch: master
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
CVE | Severity | CVSS | Dependency | Type | Fixed in (electron version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-29247 | Critical | 9.8 | electron-11.0.1.tgz | Direct | 15.5.5 | ❌ |
CVE-2021-39184 | High | 8.6 | electron-11.0.1.tgz | Direct | 11.5.0 | ❌ |
CVE-2023-29198 | High | 8.5 | electron-11.0.1.tgz | Direct | 22.3.6 | ❌ |
CVE-2022-29257 | High | 7.2 | electron-11.0.1.tgz | Direct | 15.5.0 | ❌ |
CVE-2023-44402 | High | 7.0 | electron-11.0.1.tgz | Direct | 22.3.24 | ❌ |
CVE-2020-26272 | Medium | 6.5 | electron-11.0.1.tgz | Direct | 11.1.0 | ❌ |
CVE-2023-39956 | Medium | 6.1 | electron-11.0.1.tgz | Direct | 22.3.21 | ❌ |
CVE-2022-36077 | Medium | 6.1 | electron-11.0.1.tgz | Direct | 18.3.7 | ❌ |
CVE-2022-21718 | Medium | 5.0 | electron-11.0.1.tgz | Direct | 13.6.6 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames
enabled which in turn allows effective access to ipcRenderer
. The nodeIntegrationInSubFrames
option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then nodeIntegrationInSubFrames
just gives access to the sandboxed renderer APIs, which include ipcRenderer
. If the application then additionally exposes IPC messages without IPC senderFrame
validation that perform privileged actions or return confidential data this access to ipcRenderer
can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate senderFrame
.
Publish Date: 2022-06-13
URL: CVE-2022-29247
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29247
Release Date: 2022-06-13
Fix Resolution: 15.5.5
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling contextIsolation
in one's app. One may also disable the functionality of the createThumbnailFromPath
API if one does not need it.
Publish Date: 2021-10-12
URL: CVE-2021-39184
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mpjm-v997-c4h4
Release Date: 2021-10-12
Fix Resolution: 11.5.0
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using contextIsolation
and contextBridge
are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via contextBridge
can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned
. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions 25.0.0-alpha.2
, 24.0.1
, 23.2.3
, and 22.3.6
.
Publish Date: 2023-09-06
URL: CVE-2023-29198
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-29198
Release Date: 2023-09-06
Fix Resolution: 22.3.6
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.
Publish Date: 2022-06-13
URL: CVE-2022-29257
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-77xc-hjv8-ww97
Release Date: 2022-06-13
Fix Resolution: 15.5.0
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the embeddedAsarIntegrityValidation
and onlyLoadAppFromAsar
fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app
bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.
Publish Date: 2023-12-01
URL: CVE-2023-44402
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7m48-wc93-9g85
Release Date: 2023-12-01
Fix Resolution: 22.3.24
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue.
Publish Date: 2021-01-28
URL: CVE-2020-26272
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26272
Release Date: 2021-01-28
Fix Resolution: 11.1.0
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:26.0.0-beta.13
, 25.4.1
, 24.7.1
, 23.3.13
, and 22.3.19
. There are no app side workarounds, users must update to a patched version of Electron.
Publish Date: 2023-09-06
URL: CVE-2023-39956
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-39956
Release Date: 2023-09-06
Fix Resolution: 22.3.21
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect')
event, for all WebContents as a workaround.
Publish Date: 2022-11-08
URL: CVE-2022-36077
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p2jh-44qj-pf2v
Release Date: 2022-11-08
Fix Resolution: 18.3.7
Step up your Open Source Security Game with Mend here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron
Dependency Hierarchy:
Found in base branch: master
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6
, 16.0.6
, 15.3.5
, 14.2.4
, and 13.6.6
allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device
event handler. This has been patched and Electron versions 17.0.0-alpha.6
, 16.0.6
, 15.3.5
, 14.2.4
, and 13.6.6
contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Publish Date: 2022-03-22
URL: CVE-2022-21718
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718
Release Date: 2022-03-22
Fix Resolution: 13.6.6
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.