mend-for-github-com[bot]
commented
9 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-37601
### Vulnerable Library - loader-utils-1.2.3.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/styled-jsx/node_modules/loader-utils/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - styled-jsx-3.3.2.tgz - :x: **loader-utils-1.2.3.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsPrototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (next): 12.0.9-canary.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-42740
### Vulnerable Library - shell-quote-1.7.2.tgzquote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - react-dev-overlay-11.0.1.tgz - :x: **shell-quote-1.7.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (next): 11.1.1-canary.12
In order to enable automatic remediation, please create workflow rules
CVE-2024-42461
### Vulnerable Library - elliptic-6.5.5.tgzLibrary home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - crypto-browserify-3.12.0.tgz - create-ecdh-4.0.4.tgz - :x: **elliptic-6.5.5.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
Publish Date: 2024-08-02
URL: CVE-2024-42461
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2022-37603
### Vulnerable Library - loader-utils-1.2.3.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/styled-jsx/node_modules/loader-utils/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - styled-jsx-3.3.2.tgz - :x: **loader-utils-1.2.3.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsA Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (next): 12.0.9-canary.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-43803
### Vulnerable Library - next-11.0.1.tgzThe React Framework
Library home page: https://registry.npmjs.org/next/-/next-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Dependency Hierarchy: - :x: **next-11.0.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsNext.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
Publish Date: 2021-12-09
URL: CVE-2021-43803
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx
Release Date: 2021-12-10
Fix Resolution: 11.1.2-canary.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-37699
### Vulnerable Library - next-11.0.1.tgzThe React Framework
Library home page: https://registry.npmjs.org/next/-/next-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Dependency Hierarchy: - :x: **next-11.0.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsNext.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.
Publish Date: 2021-08-11
URL: CVE-2021-37699
### CVSS 3 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9
Release Date: 2021-08-11
Fix Resolution: 11.0.2-canary.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-0235
### Vulnerable Library - node-fetch-2.6.1.tgzA light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - :x: **node-fetch-2.6.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsnode-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (next): 11.1.4
In order to enable automatic remediation, please create workflow rules
CVE-2022-23646
### Vulnerable Library - next-11.0.1.tgzThe React Framework
Library home page: https://registry.npmjs.org/next/-/next-11.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/next/package.json
Dependency Hierarchy: - :x: **next-11.0.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsNext.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.
Publish Date: 2022-02-17
URL: CVE-2022-23646
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646
Release Date: 2022-02-17
Fix Resolution: 12.0.11-canary.10
In order to enable automatic remediation, please create workflow rules
CVE-2024-42460
### Vulnerable Library - elliptic-6.5.5.tgzLibrary home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - crypto-browserify-3.12.0.tgz - create-ecdh-4.0.4.tgz - :x: **elliptic-6.5.5.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.
Publish Date: 2024-08-02
URL: CVE-2024-42460
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2024-42459
### Vulnerable Library - elliptic-6.5.5.tgzLibrary home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - crypto-browserify-3.12.0.tgz - create-ecdh-4.0.4.tgz - :x: **elliptic-6.5.5.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
Publish Date: 2024-08-02
URL: CVE-2024-42459
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-08-02
Fix Resolution: elliptic - 6.5.7
CVE-2023-44270
### Vulnerable Library - postcss-8.2.13.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.13.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy: - next-11.0.1.tgz (Root Library) - :x: **postcss-8.2.13.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
Release Date: 2023-09-29
Fix Resolution (postcss): 8.4.31
Direct dependency fix Resolution (next): 13.5.4-canary.8
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules