In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-33587
### Vulnerable Library - css-what-3.4.2.tgz
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3803
### Vulnerable Libraries - nth-check-1.0.2.tgz, nth-check-2.0.0.tgz
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25858
### Vulnerable Library - terser-5.12.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Vulnerable Library - react-scripts-5.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json
Found in HEAD commit: 2c3fe662be4de90718d82c0207c0b4058747081a
Vulnerabilities
Details
CVE-2021-43138
### Vulnerable Library - async-2.6.3.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy: - react-scripts-5.0.1.tgz (Root Library) - webpack-dev-server-4.7.4.tgz - portfinder-1.0.28.tgz - :x: **async-2.6.3.tgz** (Vulnerable Library)
Found in HEAD commit: 2c3fe662be4de90718d82c0207c0b4058747081a
Found in base branch: main
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: async - 2.6.4,3.2.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-33587
### Vulnerable Library - css-what-3.4.2.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy: - react-scripts-5.0.1.tgz (Root Library) - webpack-5.5.0.tgz - plugin-svgo-5.5.0.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **css-what-3.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 2c3fe662be4de90718d82c0207c0b4058747081a
Found in base branch: main
### Vulnerability DetailsThe css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-3803
### Vulnerable Libraries - nth-check-1.0.2.tgz, nth-check-2.0.0.tgz### nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json
Dependency Hierarchy: - react-scripts-5.0.1.tgz (Root Library) - webpack-5.5.0.tgz - plugin-svgo-5.5.0.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **nth-check-1.0.2.tgz** (Vulnerable Library) ### nth-check-2.0.0.tgz
Parses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json
Dependency Hierarchy: - react-scripts-5.0.1.tgz (Root Library) - html-webpack-plugin-5.5.0.tgz - pretty-error-4.0.0.tgz - renderkid-3.0.0.tgz - css-select-4.1.3.tgz - :x: **nth-check-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2c3fe662be4de90718d82c0207c0b4058747081a
Found in base branch: main
### Vulnerability Detailsnth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-25858
### Vulnerable Library - terser-5.12.0.tgzJavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy: - react-scripts-5.0.1.tgz (Root Library) - html-webpack-plugin-5.5.0.tgz - html-minifier-terser-6.1.0.tgz - :x: **terser-5.12.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2c3fe662be4de90718d82c0207c0b4058747081a
Found in base branch: main
### Vulnerability DetailsThe package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution: terser - 4.8.1,5.14.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)