You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
react-scripts-1.0.11.tgz (Root Library)
webpack-dev-server-2.7.1.tgz
sockjs-client-1.1.4.tgz
eventsource-0.1.6.tgz
original-1.0.0.tgz
❌ url-parse-1.0.5.tgz (Vulnerable Library)
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
react-scripts-1.0.11.tgz (Root Library)
webpack-dev-server-2.7.1.tgz
sockjs-client-1.1.4.tgz
eventsource-0.1.6.tgz
original-1.0.0.tgz
❌ url-parse-1.0.5.tgz (Vulnerable Library)
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/scripts/bench/package.json
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 71 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 72 vulnerabilities (highest severity is: 9.8)
Mar 18, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 72 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 69 vulnerabilities (highest severity is: 9.8)
Mar 23, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 69 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
Mar 31, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 73 vulnerabilities (highest severity is: 9.8)
Apr 18, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 73 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
Apr 22, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 75 vulnerabilities (highest severity is: 9.8)
Jul 1, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 75 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 77 vulnerabilities (highest severity is: 9.8)
Aug 4, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 77 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 78 vulnerabilities (highest severity is: 9.8)
Aug 4, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 78 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 79 vulnerabilities (highest severity is: 9.8)
Aug 28, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 79 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 78 vulnerabilities (highest severity is: 9.8)
Sep 10, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 78 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 79 vulnerabilities (highest severity is: 9.8)
Sep 11, 2024
mend-bolt-for-githubbot
changed the title
react-scripts-1.0.11.tgz: 79 vulnerabilities (highest severity is: 9.8)
react-scripts-1.0.11.tgz: 80 vulnerabilities (highest severity is: 9.8)
Sep 11, 2024
Vulnerable Library - react-scripts-1.0.11.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-37601
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-0691
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.0.12
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2020-7720
Vulnerable Library - node-forge-0.6.33.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.33.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2018-6342
Vulnerable Library - react-dev-utils-3.1.1.tgz
Webpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-3.1.1.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
Publish Date: 2018-12-31
URL: CVE-2018-6342
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342
Release Date: 2018-12-31
Fix Resolution (react-dev-utils): 3.1.2
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2018-3774
Vulnerable Libraries - url-parse-1.1.9.tgz, url-parse-1.0.5.tgz
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Publish Date: 2018-08-12
URL: CVE-2018-3774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774
Release Date: 2018-08-12
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2018-13797
Vulnerable Library - macaddress-0.2.8.tgz
Get the MAC addresses (hardware addresses) of the hosts network interfaces.
Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Publish Date: 2022-10-03
URL: CVE-2018-13797
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797
Release Date: 2022-10-03
Fix Resolution (macaddress): 0.2.9
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2024-42461
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
Publish Date: 2024-08-02
URL: CVE-2024-42461
CVSS 3 Score Details (9.1)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-0686
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
url-parse-1.1.9.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (react-scripts): 1.0.12
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2019-10744
Vulnerable Library - lodash.template-4.4.0.tgz
The lodash method `_.template` exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-25
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-25
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2019-0063
Vulnerable Library - js-yaml-3.9.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23386
Vulnerable Library - dns-packet-1.2.2.tgz
An abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.2.2.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
CVE-2020-13822
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-08-01
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2020-0450
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Publish Date: 2020-01-09
URL: WS-2020-0450
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-09
Fix Resolution (handlebars): 4.6.0
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2020-0091
Vulnerable Library - http-proxy-1.16.2.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/scripts/bench/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2019-0541
Vulnerable Library - macaddress-0.2.8.tgz
Get the MAC addresses (hardware addresses) of the hosts network interfaces.
Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Arbitrary File Read vulnerability was found in macaddress before 0.4.3.
Publish Date: 2019-08-20
URL: WS-2019-0541
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution (macaddress): 0.4.3
Direct dependency fix Resolution (react-scripts): 1.0.12
Step up your Open Source Security Game with Mend here
WS-2019-0032
Vulnerable Library - js-yaml-3.9.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz
Path to dependency file: /react-main/fixtures/attribute-behavior/package.json
Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: