mend-bolt-for-github[bot]
commented
2 years ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #8
Closed mend-bolt-for-github[bot] closed 2 years ago
mend-bolt-for-github[bot]
commented
2 years ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #8
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Vulnerabilities
Details
CVE-2022-2216
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsServer-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2216
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 4.15.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-43138
### Vulnerable Library - async-1.5.2.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - cache-manager-2.11.1.tgz - :x: **async-1.5.2.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23424
### Vulnerable Library - ansi-html-0.0.7.tgzAn elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - react-refresh-webpack-plugin-0.4.3.tgz - :x: **ansi-html-0.0.7.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsThis affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25858
### Vulnerable Library - terser-5.13.1.tgzJavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-parcel-config-0.6.0.tgz - optimizer-terser-2.5.0.tgz - :x: **terser-5.13.1.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsThe package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution: terser - 4.8.1,5.14.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0722
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-0722
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 4.15.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-31129
### Vulnerable Library - moment-2.29.3.tgzParse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - :x: **moment-2.29.3.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability Detailsmoment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution: moment - 2.29.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24434
### Vulnerable Library - dicer-0.2.5.tgzA very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - multer-1.4.4.tgz - busboy-0.2.14.tgz - :x: **dicer-0.2.5.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsThis affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: 2022-05-20
URL: CVE-2022-24434
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0237
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0. It allows cause a denial of service when calling function parse-url
Publish Date: 2022-07-04
URL: WS-2022-0237
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-07-04
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0238
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsFile Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.
Publish Date: 2022-06-30
URL: WS-2022-0238
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/
Release Date: 2022-06-30
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0624
### Vulnerable Library - parse-path-4.0.3.tgzParse paths (local paths, urls: ssh/git/etc)
Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-path/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - parse-url-6.0.0.tgz - :x: **parse-path-4.0.3.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
Publish Date: 2022-06-28
URL: CVE-2022-0624
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624
Release Date: 2022-06-28
Fix Resolution (parse-path): 6.0.0
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-2217
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsCross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2217
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b/
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 4.15.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-2218
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsCross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2218
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5/
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 4.15.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0235
### Vulnerable Library - node-fetch-2.6.1.tgzA light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cross-fetch/node_modules/node-fetch/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - eslint-plugin-graphql-4.0.0.tgz - graphql-config-3.4.1.tgz - url-loader-6.10.1.tgz - cross-fetch-3.1.4.tgz - :x: **node-fetch-2.6.1.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability Detailsnode-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0239
### Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - gatsby-telemetry-3.15.0.tgz - git-up-4.0.5.tgz - :x: **parse-url-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsCross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0. Through this vulnerability, an attacker is capable to execute malicious JS codes.
Publish Date: 2022-07-02
URL: WS-2022-0239
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e
Release Date: 2022-07-02
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-33987
### Vulnerable Library - got-9.6.0.tgzSimplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - latest-version-5.1.0.tgz - package-json-6.5.0.tgz - :x: **got-9.6.0.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability DetailsThe got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 12.0.0-beta.1
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32640
### Vulnerable Library - ws-7.4.5.tgzSimple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy: - gatsby-4.15.1.tgz (Root Library) - eslint-plugin-graphql-4.0.0.tgz - graphql-config-3.4.1.tgz - url-loader-6.10.1.tgz - :x: **ws-7.4.5.tgz** (Vulnerable Library)
Found in HEAD commit: fb766f816ad2f4315881e9e4b6d630e84cad0f1e
Found in base branch: main
### Vulnerability Detailsws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)