Verbatim mirror of the git.drupal.org repository for Drupal core. Please see the https://github.com/drupal/drupal#contributing. PRs are not accepted on GitHub.
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2021-09-18
Fix Resolution (mocha): 10.1.0
Direct dependency fix Resolution (nightwatch): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25883
### Vulnerable Libraries - semver-6.3.0.tgz, semver-5.7.1.tgz
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-3807
### Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/ansi-regex/package.json
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-30547
### Vulnerable Library - vm2-3.9.5.tgzvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/vm2/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - degenerator-3.0.1.tgz - :x: **vm2-3.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability Detailsvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Publish Date: 2023-04-17
URL: CVE-2023-30547
### CVSS 3 Score Details (10.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30547
Release Date: 2023-04-17
Fix Resolution (vm2): 3.9.18
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-29199
### Vulnerable Library - vm2-3.9.5.tgzvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/vm2/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - degenerator-3.0.1.tgz - :x: **vm2-3.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThere exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
Publish Date: 2023-04-14
URL: CVE-2023-29199
### CVSS 3 Score Details (10.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
Release Date: 2023-04-14
Fix Resolution (vm2): 3.9.16
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-36067
### Vulnerable Library - vm2-3.9.5.tgzvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/vm2/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - degenerator-3.0.1.tgz - :x: **vm2-3.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability Detailsvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
Publish Date: 2022-09-06
URL: CVE-2022-36067
### CVSS 3 Score Details (10.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq
Release Date: 2022-09-06
Fix Resolution (vm2): 3.9.11
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-42282
### Vulnerable Library - ip-1.1.5.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/ip/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - :x: **ip-1.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThe ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-29017
### Vulnerable Library - vm2-3.9.5.tgzvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/vm2/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - degenerator-3.0.1.tgz - :x: **vm2-3.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability Detailsvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
Publish Date: 2023-04-06
URL: CVE-2023-29017
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-29017
Release Date: 2023-04-06
Fix Resolution (vm2): 3.9.15
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-26136
### Vulnerable Library - tough-cookie-2.5.0.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/tough-cookie/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - request-promise-4.2.6.tgz - :x: **tough-cookie-2.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (nightwatch): 2.0.0-experimental.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-29078
### Vulnerable Library - ejs-3.1.6.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/ejs/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - :x: **ejs-3.1.6.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThe ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25893
### Vulnerable Library - vm2-3.9.5.tgzvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/vm2/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - degenerator-3.0.1.tgz - :x: **vm2-3.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThe package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
Publish Date: 2022-12-21
URL: CVE-2022-25893
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-4w2j-2rg4-5mjw
Release Date: 2022-12-21
Fix Resolution (vm2): 3.9.10
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-3918
### Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/json-schema/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - request-2.88.2.tgz - http-signature-1.2.0.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability Detailsjson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23555
### Vulnerable Library - vm2-3.9.5.tgzvm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/vm2/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - degenerator-3.0.1.tgz - :x: **vm2-3.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThe package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
Publish Date: 2022-02-11
URL: CVE-2021-23555
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555
Release Date: 2022-02-11
Fix Resolution (vm2): 3.9.6
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-29415
### Vulnerable Library - ip-1.1.5.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/ip/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - proxy-agent-5.0.0.tgz - pac-proxy-agent-5.0.0.tgz - pac-resolver-5.0.0.tgz - :x: **ip-1.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThe ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.
WS-2021-0638
### Vulnerable Library - mocha-6.2.3.tgzsimple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-6.2.3.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/mocha/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - :x: **mocha-6.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThere is regular Expression Denial of Service (ReDoS) vulnerability in mocha. It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: 2021-09-18
URL: WS-2021-0638
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-09-18
Fix Resolution (mocha): 10.1.0
Direct dependency fix Resolution (nightwatch): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25883
### Vulnerable Libraries - semver-6.3.0.tgz, semver-5.7.1.tgz### semver-6.3.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/semver/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - :x: **semver-6.3.0.tgz** (Vulnerable Library) ### semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/node-environment-flags/node_modules/semver/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - mocha-6.2.3.tgz - node-environment-flags-1.0.5.tgz - :x: **semver-5.7.1.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsVersions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 6.3.1
Direct dependency fix Resolution (nightwatch): 2.0.0-experimental.1
Fix Resolution (semver): 6.3.1
Direct dependency fix Resolution (nightwatch): 2.0.0-experimental.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-24999
### Vulnerable Library - qs-6.5.2.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/qs/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - request-2.88.2.tgz - :x: **qs-6.5.2.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability Detailsqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-3807
### Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz### ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/ansi-regex/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - mocha-6.2.3.tgz - yargs-13.3.2.tgz - cliui-5.0.0.tgz - strip-ansi-5.2.0.tgz - :x: **ansi-regex-4.1.0.tgz** (Vulnerable Library) ### ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/ansi-regex/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - mocha-6.2.3.tgz - wide-align-1.1.3.tgz - string-width-2.1.1.tgz - strip-ansi-4.0.0.tgz - :x: **ansi-regex-3.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability Detailsansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (nightwatch): 1.7.12
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (nightwatch): 1.7.12
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-28155
### Vulnerable Library - request-2.88.2.tgzSimplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /core/package.json
Path to vulnerable library: /core/node_modules/request/package.json
Dependency Hierarchy: - nightwatch-1.7.11.tgz (Root Library) - :x: **request-2.88.2.tgz** (Vulnerable Library)
Found in HEAD commit: 16626d58172731968ccace84d2e7487bf814dc11
Found in base branch: 9.4.x
### Vulnerability DetailsThe request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.