*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - browser-sync-2.26.3.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2019-10747
### Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz### set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/set-value/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - :x: **set-value-2.0.0.tgz** (Vulnerable Library) ### set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - union-value-1.0.0.tgz - :x: **set-value-0.4.3.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsset-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-10-29
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (browser-sync): 2.26.4
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2019-10746
### Vulnerable Library - mixin-deep-1.3.1.tgzDeeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/mixin-deep/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - :x: **mixin-deep-1.3.1.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsmixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-15256
### Vulnerable Library - object-path-0.9.2.tgzAccess deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/object-path/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - eazy-logger-3.0.2.tgz - tfunk-3.1.0.tgz - :x: **object-path-0.9.2.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsA prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-7774
### Vulnerable Library - y18n-3.2.1.tgzthe bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/y18n/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - yargs-6.4.0.tgz - :x: **y18n-3.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThe package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2021-23440
### Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz### set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - union-value-1.0.0.tgz - :x: **set-value-0.4.3.tgz** (Vulnerable Library) ### set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/set-value/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - :x: **set-value-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsMend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
Release Date: 2021-09-12
Fix Resolution: set-value - 2.0.1,4.0.1
CVE-2021-31597
### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - browser-sync-ui-2.26.2.tgz - socket.io-client-2.2.0.tgz - engine.io-client-3.3.1.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThe xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
### CVSS 3 Score Details (9.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.26.14-y.1
In order to enable automatic remediation, please create workflow rules
CVE-2019-10744
### Vulnerable Library - lodash-4.17.11.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/lodash/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - easy-extender-2.3.4.tgz - :x: **lodash-4.17.11.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2021-23434
### Vulnerable Library - object-path-0.9.2.tgzAccess deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/object-path/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - eazy-logger-3.0.2.tgz - tfunk-3.1.0.tgz - :x: **object-path-0.9.2.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThis affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-28502
### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - browser-sync-ui-2.26.2.tgz - socket.io-client-2.2.0.tgz - engine.io-client-3.3.1.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThis affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.26.14-y.1
In order to enable automatic remediation, please create workflow rules
WS-2020-0443
### Vulnerable Library - socket.io-2.1.1.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/socket.io/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **socket.io-2.1.1.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsIn socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (browser-sync): 2.26.14-y.1
In order to enable automatic remediation, please create workflow rules
CVE-2019-20149
### Vulnerable Library - kind-of-6.0.2.tgzGet the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/kind-of/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - anymatch-2.0.0.tgz - micromatch-3.1.10.tgz - :x: **kind-of-6.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-28469
### Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-2.0.0.tgz### glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/glob-parent/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library) ### glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/glob-base/node_modules/glob-parent/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - micromatch-2.3.11.tgz - parse-glob-3.0.4.tgz - glob-base-0.3.0.tgz - :x: **glob-parent-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (browser-sync): 2.26.9
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (browser-sync): 2.26.9
In order to enable automatic remediation, please create workflow rules
CVE-2019-10742
### Vulnerable Library - axios-0.17.1.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.17.1.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/axios/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - localtunnel-1.9.1.tgz - :x: **axios-0.17.1.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsAxios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-42xw-2xvc-qx8m
Release Date: 2019-05-07
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (browser-sync): 2.26.6
In order to enable automatic remediation, please create workflow rules
CVE-2021-27292
### Vulnerable Library - ua-parser-js-0.7.17.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **ua-parser-js-0.7.17.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.25
Direct dependency fix Resolution (browser-sync): 2.26.9
In order to enable automatic remediation, please create workflow rules
CVE-2022-38900
### Vulnerable Library - decode-uri-component-0.2.0.tgzA better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/decode-uri-component/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - source-map-resolve-0.5.2.tgz - :x: **decode-uri-component-0.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsdecode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-7733
### Vulnerable Library - ua-parser-js-0.7.17.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **ua-parser-js-0.7.17.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThe package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (browser-sync): 2.26.9
In order to enable automatic remediation, please create workflow rules
CVE-2021-3749
### Vulnerable Library - axios-0.17.1.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.17.1.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/axios/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - localtunnel-1.9.1.tgz - :x: **axios-0.17.1.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsaxios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (browser-sync): 2.26.6
In order to enable automatic remediation, please create workflow rules
CVE-2021-3805
### Vulnerable Library - object-path-0.9.2.tgzAccess deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/object-path/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - eazy-logger-3.0.2.tgz - tfunk-3.1.0.tgz - :x: **object-path-0.9.2.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsobject-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (browser-sync): 2.26.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-7793
### Vulnerable Library - ua-parser-js-0.7.17.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **ua-parser-js-0.7.17.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsThe package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (browser-sync): 2.26.9
In order to enable automatic remediation, please create workflow rules
CVE-2022-24999
### Vulnerable Library - qs-6.2.3.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/qs/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **qs-6.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability Detailsqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.2.4
Direct dependency fix Resolution (browser-sync): 2.27.11
In order to enable automatic remediation, please create workflow rules
CVE-2022-3517
### Vulnerable Library - minimatch-3.0.4.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/minimatch/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - resp-modifier-6.0.2.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2020-36048
### Vulnerable Library - engine.io-3.2.1.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/engine.io/package.json
Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - socket.io-2.1.1.tgz - :x: **engine.io-3.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc
Found in base branch: master
### Vulnerability DetailsEngine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (browser-sync): 2.27.10
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules