*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Library home page: https://registry.npmjs.org/sqlite3/-/sqlite3-5.1.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sqlite3/package.json
Found in HEAD commit: 898e55dce59f24513206f629f1dd595ca468b56f
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-42282
### Vulnerable Library - ip-2.0.0.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socks/node_modules/ip/package.json
Dependency Hierarchy: - sqlite3-5.1.4.tgz (Root Library) - node-gyp-8.4.1.tgz - make-fetch-happen-9.1.0.tgz - socks-proxy-agent-6.2.1.tgz - socks-2.7.1.tgz - :x: **ip-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 898e55dce59f24513206f629f1dd595ca468b56f
Found in base branch: master
### Vulnerability DetailsThe ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution: ip - 1.1.9,2.0.1
CVE-2022-43441
### Vulnerable Library - sqlite3-5.1.4.tgzLibrary home page: https://registry.npmjs.org/sqlite3/-/sqlite3-5.1.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sqlite3/package.json
Dependency Hierarchy: - :x: **sqlite3-5.1.4.tgz** (Vulnerable Library)
Found in HEAD commit: 898e55dce59f24513206f629f1dd595ca468b56f
Found in base branch: master
### Vulnerability DetailsA code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
Publish Date: 2023-03-16
URL: CVE-2022-43441
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jqv5-7xpx-qj74
Release Date: 2023-03-16
Fix Resolution: 5.1.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-29415
### Vulnerable Library - ip-2.0.0.tgz[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socks/node_modules/ip/package.json
Dependency Hierarchy: - sqlite3-5.1.4.tgz (Root Library) - node-gyp-8.4.1.tgz - make-fetch-happen-9.1.0.tgz - socks-proxy-agent-6.2.1.tgz - socks-2.7.1.tgz - :x: **ip-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 898e55dce59f24513206f629f1dd595ca468b56f
Found in base branch: master
### Vulnerability DetailsThe ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2022-25881
### Vulnerable Library - http-cache-semantics-4.1.0.tgzParses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/make-fetch-happen/node_modules/http-cache-semantics/package.json
Dependency Hierarchy: - sqlite3-5.1.4.tgz (Root Library) - node-gyp-8.4.1.tgz - make-fetch-happen-9.1.0.tgz - :x: **http-cache-semantics-4.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 898e55dce59f24513206f629f1dd595ca468b56f
Found in base branch: master
### Vulnerability DetailsThis affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution (http-cache-semantics): 4.1.1
Direct dependency fix Resolution (sqlite3): 5.1.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-28863
### Vulnerable Library - tar-6.1.13.tgzLibrary home page: https://registry.npmjs.org/tar/-/tar-6.1.13.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy: - sqlite3-5.1.4.tgz (Root Library) - :x: **tar-6.1.13.tgz** (Vulnerable Library)
Found in HEAD commit: 898e55dce59f24513206f629f1dd595ca468b56f
Found in base branch: master
### Vulnerability Detailsnode-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.