*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json
Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/html-parse-stringify2/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-23346
### Vulnerable Library - html-parse-stringify2-2.0.1.tgzParses well-formed HTML (meaning all tags closed) into an AST and back. quickly.
Library home page: https://registry.npmjs.org/html-parse-stringify2/-/html-parse-stringify2-2.0.1.tgz
Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json
Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/html-parse-stringify2/package.json
Dependency Hierarchy: - react-i18next-11.7.3.tgz (Root Library) - :x: **html-parse-stringify2-2.0.1.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` company-communicator-5.1.0/src/i18n.ts (Application) -> react-i18next-11.7.3/dist/commonjs/index.js (Extension) -> react-i18next-11.7.3/dist/commonjs/Trans.js (Extension) -> html-parse-stringify2-2.0.1/index.js (Extension) -> ❌ html-parse-stringify2-2.0.1/lib/parse.js (Vulnerable Component) ``` ### Vulnerability DetailsThis affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
Publish Date: 2021-03-04
URL: CVE-2021-23346
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-545q-3fg6-48m7
Release Date: 2021-03-04
Fix Resolution: html-parse-stringify 2.0.1