search

BharatSeva / BharatSeva-Plus-HealthCare-Interface

A portal for healthcare professionals (HIPs) to generate and manage health logs like biodata, health records, and more.
http://4.236.178.190:5000/healthcare/
MIT License
8 stars 18 forks source link

[Security] Resolve Multiple Vulnerabilities Detected in NPM Packages #19

Open vaibhavyadav-dev opened 1 week ago

vaibhavyadav-dev commented 1 week ago

Description

Multiple vulnerabilities have been detected in the following NPM packages. Action is required to patch or upgrade these packages to mitigate potential security risks.

Vulnerabilities List

  1. protobufjs - Prototype Pollution Vulnerability

    • Severity: Critical
    • Package: protobufjs
    • Detected in: package-lock.json

  2. Babel - Arbitrary Code Execution when compiling specifically crafted malicious code

    • Severity: Critical
    • Package: babel/traverse
    • Detected in: package-lock.json

  3. rollup - DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

    • Severity: High
    • Package: rollup
    • Detected in: package-lock.json

  4. body-parser - Vulnerable to denial of service when URL encoding is enabled

    • Severity: High
    • Package: body-parser
    • Detected in: package-lock.json

  5. path-to-regexp - Outputs backtracking regular expressions

    • Severity: High
    • Package: path-to-regexp
    • Detected in: package-lock.json

  6. axios - Server-Side Request Forgery

    • Severity: High
    • Package: axios
    • Detected in: package-lock.json

  7. ws - Vulnerable to a DoS attack when handling requests with many HTTP headers

    • Severity: High
    • Package: ws
    • Detected in: package-lock.json

  8. braces - Uncontrolled resource consumption

    • Severity: High
    • Package: braces
    • Detected in: package-lock.json

  9. webpack-dev-middleware - Path traversal vulnerability

    • Severity: High
    • Package: webpack-dev-middleware
    • Detected in: package-lock.json

  10. semver - Regular Expression Denial of Service (ReDoS)

    • Severity: High
    • Package: semver
    • Detected in: package-lock.json

  11. nth-check - Inefficient Regular Expression Complexity

    • Severity: High
    • Package: nth-check
    • Detected in: package-lock.json

  12. send - Vulnerable to template injection that can lead to XSS

    • Severity: Moderate
    • Package: send
    • Detected in: package-lock.json

  13. serve-static - Vulnerable to template injection that can lead to XSS

    • Severity: Moderate
    • Package: serve-static
    • Detected in: package-lock.json

  14. express - Vulnerable to XSS via response.redirect()

    • Severity: Moderate
    • Package: express
    • Detected in: package-lock.json

  15. webpack - DOM Clobbering Gadget in AutoPublicPathRuntimeModule

    • Severity: Moderate
    • Package: webpack
    • Detected in: package-lock.json

Steps to Reproduce

  1. Analyze the package-lock.json for the listed vulnerabilities.
  2. Upgrade the vulnerable packages to their latest secure versions.
  3. If no patch is available, consider removing the vulnerable packages or using an alternative.

Expected Outcome

Yash-007 commented 1 week ago

Hey, I would like to address this issue. can you please assign it to me?

vaibhavyadav-dev commented 1 week ago

ok @Yash-007 you can take this

vaibhavyadav-dev commented 4 days ago

@Yash-007 are you working on this ?

Yash-007 commented 4 days ago

@vaibhavyadav-dev Yes, please review the pr