*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /react-main/fixtures/packaging/webpack-alias/dev/package.json
Path to vulnerable library: /react-main/fixtures/packaging/webpack-alias/dev/package.json,/react-main/fixtures/packaging/webpack/dev/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/dev/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/packaging/webpack/prod/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/prod/package.json
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0691
### Vulnerable Library - url-parse-1.5.1.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-48949
### Vulnerable Library - elliptic-6.5.4.tgz
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0686
### Vulnerable Library - url-parse-1.5.1.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2019-0063
### Vulnerable Library - js-yaml-3.7.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1650
### Vulnerable Library - eventsource-0.1.6.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (react-scripts): 2.1.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23386
### Vulnerable Library - dns-packet-1.3.1.tgz
An abstract-encoding compliant module for encoding / decoding DNS packets
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0152
### Vulnerable Library - color-string-0.3.0.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2019-0032
### Vulnerable Library - js-yaml-3.7.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45590
### Vulnerable Library - body-parser-1.19.0.tgz
Path to dependency file: /react-main/fixtures/ssr2/package.json
Path to vulnerable library: /react-main/fixtures/ssr2/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/ssr/package.json,/fixtures/ssr2/package.json,/fixtures/ssr/package.json
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45296
### Vulnerable Libraries - path-to-regexp-1.8.0.tgz, path-to-regexp-0.1.7.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/path-to-regexp/package.json,/fixtures/fizz/package.json,/fixtures/ssr/package.json,/fixtures/attribute-behavior/package.json,/fixtures/ssr2/package.json,/react-main/fixtures/fizz/package.json,/react-main/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/path-to-regexp/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/ssr/package.json
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Direct dependency fix Resolution (react-scripts): 2.0.1
Fix Resolution (path-to-regexp): 8.0.0
Direct dependency fix Resolution (react-scripts): 2.0.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-4068
### Vulnerable Libraries - braces-1.8.5.tgz, braces-3.0.2.tgz
### braces-1.8.5.tgz
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Path to dependency file: /fixtures/packaging/webpack-alias/prod/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/prod/package.json,/react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/webpack/dev/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/concurrent/time-slicing/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/packaging/webpack/prod/package.json,/react-main/fixtures/expiration/package.json,/fixtures/packaging/webpack/prod/package.json,/fixtures/expiration/package.json,/react-main/fixtures/packaging/webpack-alias/dev/package.json
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Path to dependency file: /fixtures/legacy-jsx-runtimes/package.json
Path to vulnerable library: /fixtures/legacy-jsx-runtimes/package.json,/react-main/fixtures/flight/package.json,/fixtures/ssr2/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/flight-esm/package.json,/react-main/fixtures/nesting/node_modules/watchpack/node_modules/braces/package.json,/react-main/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json,/fixtures/fizz/package.json,/fixtures/flight/package.json,/react-main/fixtures/fizz/package.json,/fixtures/nesting/node_modules/watchpack/node_modules/braces/package.json,/react-main/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json,/react-main/fixtures/legacy-jsx-runtimes/package.json,/fixtures/flight-esm/package.json
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-21536
### Vulnerable Library - http-proxy-middleware-0.17.4.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37620
### Vulnerable Library - html-minifier-3.5.21.tgz
Highly configurable, well-tested, JavaScript-based HTML minifier.
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37603
### Vulnerable Library - loader-utils-1.4.0.tgz
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-3517
### Vulnerable Library - minimatch-3.0.3.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24999
### Vulnerable Library - qs-6.7.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Path to dependency file: /fixtures/ssr/package.json
Path to vulnerable library: /fixtures/ssr/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/ssr2/package.json,/react-main/fixtures/ssr/package.json,/fixtures/ssr2/package.json
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Path to dependency file: /react-main/fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-37601
### Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-0.2.17.tgz### loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - postcss-loader-2.0.8.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library) ### loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /react-main/fixtures/packaging/webpack-alias/dev/package.json
Path to vulnerable library: /react-main/fixtures/packaging/webpack-alias/dev/package.json,/react-main/fixtures/packaging/webpack/dev/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/dev/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/packaging/webpack/prod/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - html-webpack-plugin-2.29.0.tgz - :x: **loader-utils-0.2.17.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsPrototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0691
### Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - sockjs-client-1.1.5.tgz - :x: **url-parse-1.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-48949
### Vulnerable Library - elliptic-6.5.4.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-3.8.1.tgz - node-libs-browser-2.2.1.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.2.2.tgz - :x: **elliptic-6.5.4.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThe verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
Publish Date: 2024-10-10
URL: CVE-2024-48949
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949
Release Date: 2024-10-10
Fix Resolution (elliptic): 6.5.6
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0686
### Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - sockjs-client-1.1.5.tgz - :x: **url-parse-1.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2019-0063
### Vulnerable Library - js-yaml-3.7.0.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - css-loader-0.28.7.tgz - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - svgo-0.7.2.tgz - :x: **js-yaml-3.7.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsJs-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1650
### Vulnerable Library - eventsource-0.1.6.tgzW3C compliant EventSource client for Node.js
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - sockjs-client-1.1.5.tgz - :x: **eventsource-0.1.6.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsImproper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (react-scripts): 2.1.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23386
### Vulnerable Library - dns-packet-1.3.1.tgzAn abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - bonjour-3.5.0.tgz - multicast-dns-6.2.3.tgz - :x: **dns-packet-1.3.1.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThis affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0152
### Vulnerable Library - color-string-0.3.0.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - css-loader-0.28.7.tgz - cssnano-3.10.0.tgz - postcss-colormin-2.2.2.tgz - colormin-1.1.2.tgz - color-0.11.4.tgz - :x: **color-string-0.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2019-0032
### Vulnerable Library - js-yaml-3.7.0.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - css-loader-0.28.7.tgz - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - svgo-0.7.2.tgz - :x: **js-yaml-3.7.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsVersions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45590
### Vulnerable Library - body-parser-1.19.0.tgzNode.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.19.0.tgz
Path to dependency file: /react-main/fixtures/ssr2/package.json
Path to vulnerable library: /react-main/fixtures/ssr2/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/ssr/package.json,/fixtures/ssr2/package.json,/fixtures/ssr/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - express-4.17.1.tgz - :x: **body-parser-1.19.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsbody-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: 2024-09-10
URL: CVE-2024-45590
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
Release Date: 2024-09-10
Fix Resolution: body-parser - 1.20.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45296
### Vulnerable Libraries - path-to-regexp-1.8.0.tgz, path-to-regexp-0.1.7.tgz### path-to-regexp-1.8.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.8.0.tgz
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - sw-precache-webpack-plugin-0.11.4.tgz - sw-precache-5.2.1.tgz - sw-toolbox-3.6.0.tgz - :x: **path-to-regexp-1.8.0.tgz** (Vulnerable Library) ### path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/path-to-regexp/package.json,/fixtures/fizz/package.json,/fixtures/ssr/package.json,/fixtures/attribute-behavior/package.json,/fixtures/ssr2/package.json,/react-main/fixtures/fizz/package.json,/react-main/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/path-to-regexp/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/ssr/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - express-4.17.1.tgz - :x: **path-to-regexp-0.1.7.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailspath-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 8.0.0
Direct dependency fix Resolution (react-scripts): 2.0.1
Fix Resolution (path-to-regexp): 8.0.0
Direct dependency fix Resolution (react-scripts): 2.0.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-4068
### Vulnerable Libraries - braces-1.8.5.tgz, braces-3.0.2.tgz### braces-1.8.5.tgz
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/prod/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/prod/package.json,/react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/webpack/dev/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/concurrent/time-slicing/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/packaging/webpack/prod/package.json,/react-main/fixtures/expiration/package.json,/fixtures/packaging/webpack/prod/package.json,/fixtures/expiration/package.json,/react-main/fixtures/packaging/webpack-alias/dev/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - http-proxy-middleware-0.17.4.tgz - micromatch-2.3.11.tgz - :x: **braces-1.8.5.tgz** (Vulnerable Library) ### braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /fixtures/legacy-jsx-runtimes/package.json
Path to vulnerable library: /fixtures/legacy-jsx-runtimes/package.json,/react-main/fixtures/flight/package.json,/fixtures/ssr2/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/flight-esm/package.json,/react-main/fixtures/nesting/node_modules/watchpack/node_modules/braces/package.json,/react-main/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json,/fixtures/fizz/package.json,/fixtures/flight/package.json,/react-main/fixtures/fizz/package.json,/fixtures/nesting/node_modules/watchpack/node_modules/braces/package.json,/react-main/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json,/react-main/fixtures/legacy-jsx-runtimes/package.json,/fixtures/flight-esm/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-3.8.1.tgz - watchpack-1.7.5.tgz - chokidar-3.5.1.tgz - :x: **braces-3.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThe NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-13
URL: CVE-2024-4068
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-21536
### Vulnerable Library - http-proxy-middleware-0.17.4.tgzThe one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.17.4.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - :x: **http-proxy-middleware-0.17.4.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsVersions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Publish Date: 2024-10-19
URL: CVE-2024-21536
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21536
Release Date: 2024-10-19
Fix Resolution: http-proxy-middleware - 2.0.7,3.0.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37620
### Vulnerable Library - html-minifier-3.5.21.tgzHighly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /react-main/fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /react-main/fixtures/concurrent/time-slicing/package.json,/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - html-webpack-plugin-2.29.0.tgz - :x: **html-minifier-3.5.21.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsA Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37603
### Vulnerable Library - loader-utils-1.4.0.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - postcss-loader-2.0.8.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsA Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-3517
### Vulnerable Library - minimatch-3.0.3.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.3.tgz
Path to dependency file: /react-main/fixtures/expiration/package.json
Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - react-dev-utils-5.0.3.tgz - recursive-readdir-2.2.1.tgz - :x: **minimatch-3.0.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24999
### Vulnerable Library - qs-6.7.0.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Path to dependency file: /fixtures/ssr/package.json
Path to vulnerable library: /fixtures/ssr/package.json,/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/concurrent/time-slicing/package.json,/react-main/fixtures/ssr2/package.json,/react-main/fixtures/ssr/package.json,/fixtures/ssr2/package.json
Dependency Hierarchy: - react-scripts-1.1.5.tgz (Root Library) - webpack-dev-server-2.11.3.tgz - express-4.17.1.tgz - :x: **qs-6.7.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.7.3
Direct dependency fix Resolution (react-scripts): 2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)