*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Found in HEAD commit: 3384ce87c5a64fda38e1585006d79c93f4e126a3
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-33987
### Vulnerable Library - got-8.3.2.tgzSimplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - :x: **got-8.3.2.tgz** (Vulnerable Library)
Found in HEAD commit: 3384ce87c5a64fda38e1585006d79c93f4e126a3
Found in base branch: main
### Vulnerability DetailsThe got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
CVE-2022-25881
### Vulnerable Library - http-cache-semantics-3.8.1.tgzParses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - got-8.3.2.tgz - cacheable-request-2.1.4.tgz - :x: **http-cache-semantics-3.8.1.tgz** (Vulnerable Library)
Found in HEAD commit: 3384ce87c5a64fda38e1585006d79c93f4e126a3
Found in base branch: main
### Vulnerability DetailsThis affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1