zhyd1997 / sponsor Goto Github PK
View Code? Open in Web Editor NEWSponsor devs on github but using crypto and streaming per second.
Home Page: https://sponsor-zhyd1997.vercel.app
Sponsor devs on github but using crypto and streaming per second.
Home Page: https://sponsor-zhyd1997.vercel.app
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (alchemy-sdk version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-37890 | High | 7.5 | ws-7.4.6.tgz | Transitive | N/A* | ❌ |
CVE-2023-26159 | High | 7.3 | follow-redirects-1.15.2.tgz | Transitive | 2.2.1 | ❌ |
CVE-2024-28849 | Medium | 6.5 | follow-redirects-1.15.2.tgz | Transitive | N/A* | ❌ |
CVE-2023-45857 | Medium | 6.5 | axios-0.26.1.tgz | Transitive | 3.1.2 | ❌ |
CVE-2024-27088 | Low | 0.0 | es5-ext-0.10.62.tgz | Transitive | 2.2.1 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (alchemy-sdk): 2.2.1
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
follow-redirects is an open source, drop-in replacement for Node's http
and https
modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.26.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 0.28.0
Direct dependency fix Resolution (alchemy-sdk): 3.1.2
Step up your Open Source Security Game with Mend here
ECMAScript extensions and shims
Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.62.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy
or function#toStringTokens
may cause the script to stall. The vulnerability is patched in v0.10.63.
Publish Date: 2024-02-26
URL: CVE-2024-27088
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088
Release Date: 2024-02-26
Fix Resolution (es5-ext): 0.10.63
Direct dependency fix Resolution (alchemy-sdk): 2.2.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (wagmi version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-42282 | Critical | 9.8 | ip-1.1.8.tgz | Transitive | 0.8.6 | ❌ |
CVE-2024-29415 | Critical | 9.1 | ip-1.1.8.tgz | Transitive | N/A* | ❌ |
CVE-2024-4068 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2024-37890 | High | 7.5 | detected in multiple dependencies | Transitive | 1.3.0-cjs | ❌ |
CVE-2022-38900 | High | 7.5 | decode-uri-component-0.2.0.tgz | Transitive | 0.8.6 | ❌ |
CVE-2023-45857 | Medium | 6.5 | axios-0.21.4.tgz | Transitive | 0.12.0-cjs | ❌ |
CVE-2023-25166 | Medium | 5.5 | formula-3.0.0.tgz | Transitive | 0.8.6 | ❌ |
CVE-2024-4067 | Medium | 5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2024-43800 | Medium | 5.0 | serve-static-1.15.0.tgz | Transitive | N/A* | ❌ |
CVE-2024-43799 | Medium | 5.0 | send-0.18.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-13
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-8.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.5.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 7.5.10
Direct dependency fix Resolution (wagmi): 1.3.0-cjs
Fix Resolution (ws): 7.5.10
Direct dependency fix Resolution (wagmi): 1.3.0-cjs
Fix Resolution (ws): 7.5.10
Direct dependency fix Resolution (wagmi): 1.3.0-cjs
Fix Resolution (ws): 7.5.10
Direct dependency fix Resolution (wagmi): 1.3.0-cjs
Step up your Open Source Security Game with Mend here
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 0.28.0
Direct dependency fix Resolution (wagmi): 0.12.0-cjs
Step up your Open Source Security Game with Mend here
Math and string formula parser.
Library home page: https://registry.npmjs.org/@sideway/formula/-/formula-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.
Publish Date: 2023-02-08
URL: CVE-2023-25166
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25166
Release Date: 2023-02-08
Fix Resolution (@sideway/formula): 3.0.1
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The NPM package micromatch
prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.
Publish Date: 2024-05-13
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: micromatch - 4.0.8
Step up your Open Source Security Game with Mend here
Serve static files
Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Publish Date: 2024-09-10
URL: CVE-2024-43800
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cm22-4g7w-348p
Release Date: 2024-09-10
Fix Resolution: serve-static - 1.16.0,2.1.0
Step up your Open Source Security Game with Mend here
Better streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.18.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
Publish Date: 2024-09-10
URL: CVE-2024-43799
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m6fv-jmcg-4jfg
Release Date: 2024-09-10
Fix Resolution: send - 0.19.0
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
@mui/icons-material
, @mui/material
)These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@types/react
, @types/react-dom
, react
, react-dom
)package.json
@emotion/react ^11.10.5
@emotion/styled ^11.10.5
@mui/icons-material ^5.10.9
@mui/lab 5.0.0-alpha.106
@mui/material ^5.10.12
@rainbow-me/rainbowkit ^0.8.0
@superfluid-finance/sdk-core ^0.5.7
@types/node 18.11.9
@types/react 18.0.25
@types/react-dom 18.0.9
@vercel/analytics ^0.1.3
alchemy-sdk ^2.2.0
ethers ^5.7.2
graphql ^16.6.0
next 13.0.1
react 18.2.0
react-dom 18.2.0
react-toastify ^9.1.1
sharp ^0.31.2
typescript 4.8.4
wagmi ^0.8.5
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
CVE | Severity | CVSS | Dependency | Type | Fixed in (rainbowkit version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-41713 | Medium | 5.3 | deep-object-diff-1.1.7.tgz | Transitive | 0.8.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Deep diffs two objects, including nested structures of arrays and objects, and return the difference.
Library home page: https://registry.npmjs.org/deep-object-diff/-/deep-object-diff-1.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the 'proto' property to be edited.
Publish Date: 2022-11-03
URL: CVE-2022-41713
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-03
Fix Resolution (deep-object-diff): 1.1.9
Direct dependency fix Resolution (@rainbow-me/rainbowkit): 0.8.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
CVE | Severity | CVSS | Dependency | Type | Fixed in (sdk-core version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-43646 | High | 8.6 | get-func-name-2.0.0.tgz | Transitive | N/A* | ❌ |
CVE-2024-45590 | High | 7.5 | body-parser-1.20.1.tgz | Transitive | N/A* | ❌ |
CVE-2024-45296 | High | 7.5 | path-to-regexp-0.1.7.tgz | Transitive | N/A* | ❌ |
CVE-2024-37890 | High | 7.5 | ws-3.3.3.tgz | Transitive | N/A* | ❌ |
CVE-2024-21505 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-30542 | Medium | 6.8 | contracts-4.7.3.tgz | Transitive | N/A* | ❌ |
CVE-2024-28863 | Medium | 6.5 | tar-4.4.19.tgz | Transitive | N/A* | ❌ |
CVE-2024-27094 | Medium | 6.5 | contracts-4.7.3.tgz | Transitive | N/A* | ❌ |
CVE-2023-46234 | Medium | 6.5 | browserify-sign-4.2.1.tgz | Transitive | N/A* | ❌ |
CVE-2023-26136 | Medium | 6.5 | tough-cookie-2.5.0.tgz | Transitive | N/A* | ❌ |
CVE-2024-29041 | Medium | 6.1 | express-4.18.2.tgz | Transitive | N/A* | ❌ |
CVE-2023-28155 | Medium | 6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
CVE-2023-40014 | Medium | 5.3 | contracts-4.7.3.tgz | Transitive | N/A* | ❌ |
CVE-2023-34459 | Medium | 5.3 | contracts-4.7.3.tgz | Transitive | N/A* | ❌ |
CVE-2023-34234 | Medium | 5.3 | contracts-4.7.3.tgz | Transitive | N/A* | ❌ |
CVE-2023-30541 | Medium | 5.3 | contracts-4.7.3.tgz | Transitive | N/A* | ❌ |
CVE-2022-33987 | Medium | 5.3 | got-9.6.0.tgz | Transitive | N/A* | ❌ |
CVE-2022-25901 | Medium | 5.3 | cookiejar-2.1.3.tgz | Transitive | N/A* | ❌ |
CVE-2022-25883 | Medium | 5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2022-25881 | Medium | 5.3 | http-cache-semantics-4.1.0.tgz | Transitive | N/A* | ❌ |
CVE-2020-7608 | Medium | 5.3 | yargs-parser-2.4.1.tgz | Transitive | N/A* | ❌ |
CVE-2024-43796 | Medium | 5.0 | express-4.18.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Utility for getting a function's name for node and the browser
Library home page: https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit f934b228b
which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-09-26
URL: CVE-2023-43646
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4q6p-r6v2-jvc5
Release Date: 2023-09-27
Fix Resolution: get-func-name - 2.0.1,3.0.0
Step up your Open Source Security Game with Mend here
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: 2024-09-10
URL: CVE-2024-45590
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qwcr-r2fm-qrc7
Release Date: 2024-09-10
Fix Resolution: body-parser - 1.20.3
Step up your Open Source Security Game with Mend here
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution: path-to-regexp - 0.1.10,8.0.0
Step up your Open Source Security Game with Mend here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1
Step up your Open Source Security Game with Mend here
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
Step up your Open Source Security Game with Mend here
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose
) in GovernorCompatibilityBravo
allows the creation of proposals with a signatures
array shorter than the calldatas
array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated
event correctly represents what will eventually execute, but the proposal parameters as queried through getActions
appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures
and calldatas
parameters.
Publish Date: 2023-04-16
URL: CVE-2023-30542
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-93hq-5wgc-jc82
Release Date: 2023-04-16
Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode
function encodes a bytes
input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
Publish Date: 2024-02-29
URL: CVE-2024-27094
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-02-29
Fix Resolution: @openzeppelin/contracts - 4.9.6,5.0.2, @openzeppelin/contracts-upgradeable - 4.9.6,5.0.2
Step up your Open Source Security Game with Mend here
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify
function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
Publish Date: 2023-10-26
URL: CVE-2023-46234
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution: browserify-sign - 4.2.2
Step up your Open Source Security Game with Mend here
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
Step up your Open Source Security Game with Mend here
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl
on the contents before passing it to the location
header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location()
but this is also called from within res.redirect()
. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: express - 4.19.0
Step up your Open Source Security Game with Mend here
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context
along with a custom trusted forwarder may see _msgSender
return address(0)
in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder
from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.
Publish Date: 2023-08-10
URL: CVE-2023-40014
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4vp-m682-qqmp
Release Date: 2023-08-10
Fix Resolution: @openzeppelin/contracts - 4.9.3;@openzeppelin/contracts-upgradeable - 4.9.3
Step up your Open Source Security Game with Mend here
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof
, verifyMultiProofCalldata
, procesprocessMultiProof
, or processMultiProofCalldat
functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.
A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.
A contract is not vulnerable if it uses single-leaf proving (verify
, verifyCalldata
, processProof
, or processProofCalldata
), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.
The problem has been patched in version 4.9.2.
Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.
Publish Date: 2023-06-16
URL: CVE-2023-34459
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-34459
Release Date: 2023-06-16
Fix Resolution: @openzeppelin/contracts - 4.9.2, @openzeppelin/contracts-upgradeable - 4.9.2
Step up your Open Source Security Game with Mend here
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor
contract in v4.9.0 only, and the GovernorCompatibilityBravo
contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.
Publish Date: 2023-06-07
URL: CVE-2023-34234
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5h3x-9wvq-w4m2
Release Date: 2023-06-07
Fix Resolution: @openzeppelin/contracts-upgradeable - 4.9.1;@openzeppelin/contracts - 4.9.1
Step up your Open Source Security Game with Mend here
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.
Publish Date: 2023-04-17
URL: CVE-2023-30541
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mx2q-35m2-x2rh
Release Date: 2023-04-17
Fix Resolution: @openzeppelin/contracts - 4.8.3, @openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution: cookiejar - 2.1.4
Step up your Open Source Security Game with Mend here
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Step up your Open Source Security Game with Mend here
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1
Step up your Open Source Security Game with Mend here
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: 2024-09-10
URL: CVE-2024-43796
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: 2024-09-10
Fix Resolution: express - 4.20.0,5.0.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (styled version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-45133 | Critical | 9.3 | traverse-7.20.1.tgz | Transitive | 11.10.6 | ❌ |
CVE-2022-46175 | High | 7.1 | json5-2.2.1.tgz | Transitive | 11.10.6 | ❌ |
CVE-2022-25883 | Medium | 5.3 | semver-6.3.0.tgz | Transitive | 11.10.6 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.20.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 6.3.1
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (ethers version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-42461 | Critical | 9.1 | elliptic-6.5.4.tgz | Transitive | N/A* | ❌ |
CVE-2024-42460 | Medium | 5.3 | elliptic-6.5.4.tgz | Transitive | N/A* | ❌ |
CVE-2024-42459 | Medium | 5.3 | elliptic-6.5.4.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
Publish Date: 2024-08-02
URL: CVE-2024-42461
Base Score Metrics:
Step up your Open Source Security Game with Mend here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.
Publish Date: 2024-08-02
URL: CVE-2024-42460
Base Score Metrics:
Step up your Open Source Security Game with Mend here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
Publish Date: 2024-08-02
URL: CVE-2024-42459
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-08-02
Fix Resolution: elliptic - 6.5.7
Step up your Open Source Security Game with Mend here
A Query Language and Runtime which can target any service.
Library home page: https://registry.npmjs.org/graphql/-/graphql-16.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (graphql version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-26144 | Medium | 5.3 | graphql-16.6.0.tgz | Direct | 16.8.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A Query Language and Runtime which can target any service.
Library home page: https://registry.npmjs.org/graphql/-/graphql-16.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.
Note: It was not proven that this vulnerability can crash the process.
Publish Date: 2023-09-20
URL: CVE-2023-26144
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-08-01
Fix Resolution: 16.8.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (next version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-44270 | Medium | 5.3 | postcss-8.4.14.tgz | Transitive | 13.5.4-canary.8 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270
Release Date: 2023-09-29
Fix Resolution (postcss): 8.4.31
Direct dependency fix Resolution (next): 13.5.4-canary.8
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (sharp version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-25883 | Medium | 5.3 | semver-7.3.8.tgz | Transitive | 0.33.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (sharp): 0.33.1
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.