*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0691
### Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1650
### Vulnerable Library - eventsource-1.0.7.tgz
W3C compliant EventSource client for Node.js and browser (polyfill)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0686
### Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-43138
### Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24772
### Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24771
### Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Direct dependency fix Resolution (webpack-dev-server): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0008
### Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-28849
### Vulnerable Library - follow-redirects-1.13.0.tgz
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0155
### Vulnerable Library - follow-redirects-1.13.0.tgz
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23386
### Vulnerable Library - dns-packet-1.3.1.tgz
An abstract-encoding compliant module for encoding / decoding DNS packets
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26159
### Vulnerable Library - follow-redirects-1.13.0.tgz
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0122
### Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0536
### Vulnerable Library - follow-redirects-1.13.0.tgz
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24773
### Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0639
### Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0512
### Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3664
### Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32640
### Vulnerable Library - ws-6.2.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-27515
### Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-42282
### Vulnerable Library - ip-1.1.5.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ip
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - :x: **ip-1.1.5.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0691
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1650
### Vulnerable Library - eventsource-1.0.7.tgzW3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **eventsource-1.0.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsImproper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
### CVSS 3 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0686
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-43138
### Vulnerable Library - async-2.6.3.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - portfinder-1.0.28.tgz - :x: **async-2.6.3.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24772
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - selfsigned-1.10.8.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsForge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24771
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - selfsigned-1.10.8.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsForge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgzStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - chokidar-2.1.8.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack-dev-server): 4.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0008
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - selfsigned-1.10.8.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-28849
### Vulnerable Library - follow-redirects-1.13.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - http-proxy-middleware-0.19.1.tgz - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.13.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsfollow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0155
### Vulnerable Library - follow-redirects-1.13.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - http-proxy-middleware-0.19.1.tgz - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.13.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsfollow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23386
### Vulnerable Library - dns-packet-1.3.1.tgzAn abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dns-packet
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - bonjour-3.5.0.tgz - multicast-dns-6.2.3.tgz - :x: **dns-packet-1.3.1.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThis affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26159
### Vulnerable Library - follow-redirects-1.13.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - http-proxy-middleware-0.19.1.tgz - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.13.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsVersions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0122
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - selfsigned-1.10.8.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsforge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0536
### Vulnerable Library - follow-redirects-1.13.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - http-proxy-middleware-0.19.1.tgz - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.13.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsImproper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24773
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - selfsigned-1.10.8.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsForge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0639
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0512
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3664
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsurl-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32640
### Vulnerable Library - ws-6.2.1.tgzSimple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - :x: **ws-6.2.1.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-27515
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse
Dependency Hierarchy: - webpack-dev-server-3.11.0.tgz (Root Library) - sockjs-client-1.4.0.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsurl-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (webpack-dev-server): 3.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)