Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/resolve-url-loader/node_modules/postcss/package.json,/react-main/fixtures/nesting/node_modules/resolve-url-loader/node_modules/postcss/package.json
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Direct dependency fix Resolution (react-scripts): 3.4.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37601
### Vulnerable Library - loader-utils-1.2.3.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-42740
### Vulnerable Library - shell-quote-1.7.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/react-dev-utils/node_modules/shell-quote/package.json,/react-main/fixtures/nesting/node_modules/react-dev-utils/node_modules/shell-quote/package.json
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3757
### Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29415
### Vulnerable Library - ip-1.1.8.tgz
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7660
### Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/serialize-javascript/package.json,/react-main/fixtures/nesting/node_modules/serialize-javascript/package.json
Direct dependency fix Resolution (react-scripts): 3.4.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15256
### Vulnerable Library - object-path-0.11.4.tgz
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
Direct dependency fix Resolution (react-scripts): 3.4.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-37890
### Vulnerable Library - ws-5.2.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-21536
### Vulnerable Library - http-proxy-middleware-0.19.1.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/http-proxy-middleware/package.json,/react-main/fixtures/nesting/node_modules/http-proxy-middleware/package.json
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37603
### Vulnerable Library - loader-utils-1.2.3.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3805
### Vulnerable Library - object-path-0.11.4.tgz
Direct dependency fix Resolution (react-scripts): 3.4.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28477
### Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2021-01-19
Fix Resolution (immer): 8.0.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29180
### Vulnerable Library - webpack-dev-middleware-3.7.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/webpack-dev-middleware/package.json,/react-main/fixtures/nesting/node_modules/webpack-dev-middleware/package.json
Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack.
Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26159
### Vulnerable Library - follow-redirects-1.15.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/follow-redirects/package.json,/react-main/fixtures/nesting/node_modules/follow-redirects/package.json
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Direct dependency fix Resolution (react-scripts): 3.4.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-28849
### Vulnerable Library - follow-redirects-1.15.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/follow-redirects/package.json,/react-main/fixtures/nesting/node_modules/follow-redirects/package.json
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-43788
### Vulnerable Library - webpack-4.42.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29041
### Vulnerable Library - express-4.18.2.tgz
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-24033
### Vulnerable Library - react-dev-utils-10.2.1.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/react-dev-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/package.json
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23436
### Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23434
### Vulnerable Library - object-path-0.11.4.tgz
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/resolve-url-loader/node_modules/postcss/package.json,/react-main/fixtures/nesting/node_modules/resolve-url-loader/node_modules/postcss/package.json
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-42282
### Vulnerable Library - ip-1.1.8.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/ip/package.json,/react-main/fixtures/nesting/node_modules/ip/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - :x: **ip-1.1.8.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThe ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (react-scripts): 3.4.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37601
### Vulnerable Library - loader-utils-1.2.3.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - react-dev-utils-10.2.1.tgz - :x: **loader-utils-1.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsPrototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-42740
### Vulnerable Library - shell-quote-1.7.2.tgzquote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/react-dev-utils/node_modules/shell-quote/package.json,/react-main/fixtures/nesting/node_modules/react-dev-utils/node_modules/shell-quote/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - react-dev-utils-10.2.1.tgz - :x: **shell-quote-1.7.2.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThe shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3757
### Vulnerable Library - immer-1.10.0.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json,/react-main/fixtures/nesting/node_modules/immer/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - react-dev-utils-10.2.1.tgz - :x: **immer-1.10.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsimmer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29415
### Vulnerable Library - ip-1.1.8.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/ip/package.json,/react-main/fixtures/nesting/node_modules/ip/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - :x: **ip-1.1.8.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThe ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7660
### Vulnerable Library - serialize-javascript-2.1.2.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/serialize-javascript/package.json,/react-main/fixtures/nesting/node_modules/serialize-javascript/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - terser-webpack-plugin-2.3.5.tgz - :x: **serialize-javascript-2.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsserialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (react-scripts): 3.4.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15256
### Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/object-path/package.json,/fixtures/nesting/node_modules/object-path/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - resolve-url-loader-3.1.1.tgz - adjust-sourcemap-loader-2.0.0.tgz - :x: **object-path-0.11.4.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsA prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (react-scripts): 3.4.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-37890
### Vulnerable Library - ws-5.2.3.tgzSimple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-5.2.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/ws/package.json,/react-main/fixtures/nesting/node_modules/ws/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - jest-24.9.0.tgz - jest-cli-24.9.0.tgz - jest-config-24.9.0.tgz - jest-environment-jsdom-24.9.0.tgz - jsdom-11.12.0.tgz - :x: **ws-5.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 5.2.4
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-21536
### Vulnerable Library - http-proxy-middleware-0.19.1.tgzThe one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.19.1.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/http-proxy-middleware/package.json,/react-main/fixtures/nesting/node_modules/http-proxy-middleware/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - :x: **http-proxy-middleware-0.19.1.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsVersions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Publish Date: 2024-10-19
URL: CVE-2024-21536
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21536
Release Date: 2024-10-19
Fix Resolution: http-proxy-middleware - 2.0.7,3.0.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37603
### Vulnerable Library - loader-utils-1.2.3.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/react-main/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - react-dev-utils-10.2.1.tgz - :x: **loader-utils-1.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsA Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3805
### Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/object-path/package.json,/fixtures/nesting/node_modules/object-path/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - resolve-url-loader-3.1.1.tgz - adjust-sourcemap-loader-2.0.0.tgz - :x: **object-path-0.11.4.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsobject-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (react-scripts): 3.4.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28477
### Vulnerable Library - immer-1.10.0.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json,/react-main/fixtures/nesting/node_modules/immer/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - react-dev-utils-10.2.1.tgz - :x: **immer-1.10.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThis affects all versions of package immer.
Publish Date: 2021-01-19
URL: CVE-2020-28477
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-01-19
Fix Resolution (immer): 8.0.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29180
### Vulnerable Library - webpack-dev-middleware-3.7.3.tgzA development middleware for webpack
Library home page: https://registry.npmjs.org/webpack-dev-middleware/-/webpack-dev-middleware-3.7.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/webpack-dev-middleware/package.json,/react-main/fixtures/nesting/node_modules/webpack-dev-middleware/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - :x: **webpack-dev-middleware-3.7.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsPrior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack. Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.
Publish Date: 2024-03-21
URL: CVE-2024-29180
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6
Release Date: 2024-03-21
Fix Resolution (webpack-dev-middleware): 5.3.4
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26159
### Vulnerable Library - follow-redirects-1.15.3.tgzLibrary home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/follow-redirects/package.json,/react-main/fixtures/nesting/node_modules/follow-redirects/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - http-proxy-middleware-0.19.1.tgz - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsVersions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (react-scripts): 3.4.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-28849
### Vulnerable Library - follow-redirects-1.15.3.tgzLibrary home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/follow-redirects/package.json,/react-main/fixtures/nesting/node_modules/follow-redirects/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - http-proxy-middleware-0.19.1.tgz - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsfollow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-43788
### Vulnerable Library - webpack-4.42.0.tgzPacks CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-4.42.0.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/webpack/package.json,/fixtures/nesting/node_modules/webpack/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - :x: **webpack-4.42.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsWebpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-08-27
URL: CVE-2024-43788
### CVSS 3 Score Details (6.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
Release Date: 2024-08-27
Fix Resolution: webpack - 5.94.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29041
### Vulnerable Library - express-4.18.2.tgzFast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/express/package.json,/react-main/fixtures/nesting/node_modules/express/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - webpack-dev-server-3.10.3.tgz - :x: **express-4.18.2.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsExpress.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: express - 4.19.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-24033
### Vulnerable Library - react-dev-utils-10.2.1.tgzwebpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-10.2.1.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/react-dev-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - :x: **react-dev-utils-10.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability Detailsreact-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Publish Date: 2021-03-09
URL: CVE-2021-24033
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.facebook.com/security/advisories/cve-2021-24033
Release Date: 2021-03-09
Fix Resolution (react-dev-utils): 11.0.4
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23436
### Vulnerable Library - immer-1.10.0.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json,/react-main/fixtures/nesting/node_modules/immer/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - react-dev-utils-10.2.1.tgz - :x: **immer-1.10.0.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThis affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Publish Date: 2021-09-01
URL: CVE-2021-23436
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436
Release Date: 2021-09-01
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23434
### Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /react-main/fixtures/nesting/package.json
Path to vulnerable library: /react-main/fixtures/nesting/node_modules/object-path/package.json,/fixtures/nesting/node_modules/object-path/package.json
Dependency Hierarchy: - react-scripts-3.4.1.tgz (Root Library) - resolve-url-loader-3.1.1.tgz - adjust-sourcemap-loader-2.0.0.tgz - :x: **object-path-0.11.4.tgz** (Vulnerable Library)
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
### Vulnerability DetailsThis affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (react-scripts): 3.4.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)