When we ran npm audit --json for my project which has html-pdf-node as one of its dependencies, we got the following advisory.
Please note that the severity is critical.
Any help would be really helpful.
{
"1070415": {
"findings": [
{
"version": "1.0.2",
"paths": [
"html-pdf-node>inline-css>cheerio>css-select>nth-check",
"html-pdf-node>inline-css>extract-css>list-stylesheets>cheerio>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2022-05-26T19:57:03.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1070415,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "nth-check is vulnerable to Inefficient Regular Expression Complexity",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
},
"1084495": {
"findings": [
{
"version": "2.6.1",
"paths": [
"html-pdf-node>puppeteer>node-fetch"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.6.7",
"module_name": "node-fetch",
"severity": "high",
"github_advisory_id": "GHSA-r683-j2x4-v87g",
"cves": [
"CVE-2022-0235"
],
"access": "public",
"patched_versions": ">=2.6.7",
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"updated": "2022-09-19T22:12:10.000Z",
"recommendation": "Upgrade to version 2.6.7 or later",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"found_by": null,
"deleted": null,
"id": 1084495,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0235\n- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10\n- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7\n- https://github.com/node-fetch/node-fetch/pull/1453\n- https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-r683-j2x4-v87g",
"created": "2022-01-21T23:55:52.000Z",
"reported_by": null,
"title": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",
"npm_advisory_id": null,
"overview": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g"
}
}
When we ran npm audit --json for my project which has html-pdf-node as one of its dependencies, we got the following advisory. Please note that the severity is critical. Any help would be really helpful.