Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.2
Direct dependency fix Resolution (express): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2018-0111
### Vulnerable Libraries - base64-url-1.2.1.tgz, base64-url-1.3.3.tgz
### base64-url-1.2.1.tgz
Base64 encode, decode, escape and unescape for URL applications
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.
Mend Note: Converted from WS-2016-0056, on 2022-11-08.
Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-5413
### Vulnerable Library - morgan-1.1.1.tgzhttp request logger middleware for node.js
Library home page: https://registry.npmjs.org/morgan/-/morgan-1.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/morgan/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **morgan-1.1.1.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsAn attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
Publish Date: 2019-03-21
URL: CVE-2019-5413
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/390881
Release Date: 2019-03-21
Fix Resolution (morgan): 1.9.1
Direct dependency fix Resolution (express): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-44906
### Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - mkdirp-0.5.0.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.2
Direct dependency fix Resolution (express): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2018-0111
### Vulnerable Libraries - base64-url-1.2.1.tgz, base64-url-1.3.3.tgz### base64-url-1.2.1.tgz
Base64 encode, decode, escape and unescape for URL applications
Library home page: https://registry.npmjs.org/base64-url/-/base64-url-1.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uid-safe/node_modules/base64-url/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - csurf-1.2.2.tgz - csrf-tokens-2.0.0.tgz - uid-safe-1.1.0.tgz - :x: **base64-url-1.2.1.tgz** (Vulnerable Library) ### base64-url-1.3.3.tgz
Base64 encode, decode, escape and unescape for URL applications
Library home page: https://registry.npmjs.org/base64-url/-/base64-url-1.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/base64-url/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - csurf-1.2.2.tgz - csrf-tokens-2.0.0.tgz - :x: **base64-url-1.3.3.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsVersions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.
Publish Date: 2018-05-16
URL: WS-2018-0111
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nodesecurity.io/advisories/660
Release Date: 2018-01-27
Fix Resolution (base64-url): 2.0.0
Direct dependency fix Resolution (express): 4.0.0
Fix Resolution (base64-url): 2.0.0
Direct dependency fix Resolution (express): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-10539
### Vulnerable Library - negotiator-0.4.6.tgzHTTP content negotiation
Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/negotiator/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - errorhandler-1.1.0.tgz - accepts-1.0.3.tgz - :x: **negotiator-0.4.6.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability Detailsnegotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Publish Date: 2018-05-31
URL: CVE-2016-10539
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/106
Release Date: 2018-04-26
Fix Resolution (negotiator): 0.6.1
Direct dependency fix Resolution (express): 4.14.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2014-0005
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsDenial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005
Release Date: 2014-07-31
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (express): 3.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-20165
### Vulnerable Library - debug-1.0.2.tgzsmall debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/debug/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - :x: **debug-1.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsA vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: 2023-01-09
URL: CVE-2017-20165
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9vvw-cc9w-f27h
Release Date: 2023-01-09
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (express): 4.15.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-1000048
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability Detailsthe web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-13
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (express): 4.14.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16136
### Vulnerable Library - method-override-2.0.2.tgzOverride HTTP verbs
Library home page: https://registry.npmjs.org/method-override/-/method-override-2.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/method-override/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **method-override-2.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability Detailsmethod-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.
Publish Date: 2018-06-07
URL: CVE-2017-16136
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16136
Release Date: 2018-04-26
Fix Resolution (method-override): 2.3.10
Direct dependency fix Resolution (express): 3.18.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16138
### Vulnerable Library - mime-1.2.11.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - send-0.4.3.tgz - :x: **mime-1.2.11.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsThe mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (express): 4.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-10064
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsThe qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064
Release Date: 2018-04-26
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (express): 3.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-8315
### Vulnerable Library - ms-0.6.2.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ms/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - debug-1.0.2.tgz - :x: **ms-0.6.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsThe ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8315
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8315
Release Date: 2017-01-23
Fix Resolution (ms): 0.7.1
Direct dependency fix Resolution (express): 3.21.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16119
### Vulnerable Library - fresh-0.2.2.tgzHTTP response freshness testing
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fresh/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - :x: **fresh-0.2.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsFresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/526
Release Date: 2018-04-26
Fix Resolution (fresh): 0.5.2
Direct dependency fix Resolution (express): 4.15.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-6394
### Vulnerable Library - send-0.4.3.tgzBetter streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/send/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - :x: **send-0.4.3.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability Detailsvisionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Publish Date: 2014-10-08
URL: CVE-2014-6394
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6394
Release Date: 2014-10-08
Fix Resolution (send): 0.8.4
Direct dependency fix Resolution (express): 3.16.10
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-8856
### Vulnerable Library - serve-index-1.1.2.tgzServe directory listings
Library home page: https://registry.npmjs.org/serve-index/-/serve-index-1.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serve-index/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **serve-index-1.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsCross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.
Publish Date: 2017-01-23
URL: CVE-2015-8856
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8856
Release Date: 2017-01-23
Fix Resolution (serve-index): 1.6.3
Direct dependency fix Resolution (express): 3.19.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-7598
### Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - mkdirp-0.5.0.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability Detailsminimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (express): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-20162
### Vulnerable Library - ms-0.6.2.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ms/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - debug-1.0.2.tgz - :x: **ms-0.6.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsA vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Publish Date: 2023-01-05
URL: CVE-2017-20162
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-01-05
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (express): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-8859
### Vulnerable Library - send-0.4.3.tgzBetter streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/send/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - :x: **send-0.4.3.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsThe send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Publish Date: 2017-01-23
URL: CVE-2015-8859
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859
Release Date: 2017-01-23
Fix Resolution (send): 0.11.1
Direct dependency fix Resolution (express): 3.19.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16137
### Vulnerable Library - debug-1.0.2.tgzsmall debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/debug/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - :x: **debug-1.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsThe debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-04-26
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (express): 4.15.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-7191
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsThe qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (express): 3.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-1000236
### Vulnerable Library - cookie-signature-1.0.3.tgzSign and unsign cookies
Library home page: https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cookie-signature/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - :x: **cookie-signature-1.0.3.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsNode-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used. Mend Note: Converted from WS-2016-0056, on 2022-11-08.
Publish Date: 2019-11-19
URL: CVE-2016-1000236
### CVSS 3 Score Details (4.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-92vm-wfm5-mxvv
Release Date: 2019-11-19
Fix Resolution (cookie-signature): 1.0.4
Direct dependency fix Resolution (express): 3.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-1164
### Vulnerable Library - serve-static-1.2.3.tgzServe static files
Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serve-static/package.json
Dependency Hierarchy: - express-3.11.0.tgz (Root Library) - connect-2.20.2.tgz - :x: **serve-static-1.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: 08e7ae040cab7db134a00d8b763c00dd8bc070a7
Found in base branch: main
### Vulnerability DetailsOpen redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.
Publish Date: 2015-01-21
URL: CVE-2015-1164
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1164
Release Date: 2015-01-21
Fix Resolution (serve-static): 1.7.2
Direct dependency fix Resolution (express): 3.18.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.