Loading...
SBOMLINKSBOMLINK{
"bomFormat" : "CycloneDX",
"specVersion" : "1.5",
"serialNumber" : "urn:uuid:c3623944-deae-4c6c-b109-5e8592bf9011",
"version" : 1,
"metadata" : {
"timestamp" : "2025-04-01T06:59:20Z",
"tools" : [
{
"vendor" : "OWASP",
"name" : "Dependency-Track",
"version" : "4.12.7"
}
],
"component" : {
"type" : "application",
"bom-ref" : "1e609ca8-d057-4b9f-9444-8b05338d2630",
"name" : "Indifi Arya (Trivy)",
"version" : "1.0"
}
},
"components" : [
{
"type" : "library",
"bom-ref" : "d63dd4c3-8e88-424e-92df-df43de60da9d",
"name" : "@babel/runtime",
"version" : "7.11.2",
"purl" : "pkg:npm/%40babel/runtime@7.11.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "@babel/runtime@7.11.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "9ff407ea-7c4f-4999-97fa-d196ad26b16a",
"name" : "@grpc/grpc-js",
"version" : "0.2.0",
"purl" : "pkg:npm/%40grpc/grpc-js@0.2.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "@grpc/grpc-js@0.2.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "a4a74a4a-7ff3-4ec0-b449-0c1953950b14",
"name" : "adm-zip",
"version" : "0.4.4",
"purl" : "pkg:npm/adm-zip@0.4.4",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "adm-zip@0.4.4"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "35f50dfa-02fa-4bac-a09b-df329dc5131b",
"name" : "ajv",
"version" : "6.6.2",
"purl" : "pkg:npm/ajv@6.6.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "ajv@6.6.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "3312e655-f692-4114-8ca4-5a7a5264e8f8",
"name" : "ansi-regex",
"version" : "3.0.0",
"purl" : "pkg:npm/ansi-regex@3.0.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "ansi-regex@3.0.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "62ab7c97-9e2c-4b12-8d98-2bde43627186",
"name" : "async",
"version" : "3.2.0",
"purl" : "pkg:npm/async@3.2.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "async@3.2.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "bf9977a0-8e7b-46d8-afb5-64022026f5d9",
"name" : "async",
"version" : "2.6.4",
"purl" : "pkg:npm/async@2.6.4",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "async@2.6.4"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "01b41eab-13c4-4f1c-9358-9b9449778b91",
"name" : "async",
"version" : "2.6.3",
"purl" : "pkg:npm/async@2.6.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "async@2.6.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "e93b9b00-289f-43f0-84e0-70707ede82c5",
"name" : "async",
"version" : "2.6.1",
"purl" : "pkg:npm/async@2.6.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "async@2.6.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "3639fbbf-c0c2-41fd-a18c-3c23641689eb",
"name" : "aws-sdk",
"version" : "2.382.0",
"purl" : "pkg:npm/aws-sdk@2.382.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "aws-sdk@2.382.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4",
"name" : "axios",
"version" : "0.18.0",
"purl" : "pkg:npm/axios@0.18.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "axios@0.18.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "b348190c-7219-4032-bb4f-a7f81f5c8f83",
"name" : "axios",
"version" : "0.21.1",
"purl" : "pkg:npm/axios@0.21.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "axios@0.21.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "990a45d3-28b9-46bd-a21c-d40ee732d554",
"name" : "bl",
"version" : "0.9.5",
"purl" : "pkg:npm/bl@0.9.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "bl@0.9.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "6a8c0a4b-4670-44a8-989c-462681967fc8",
"name" : "bl",
"version" : "1.0.3",
"purl" : "pkg:npm/bl@1.0.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "bl@1.0.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "85ba9331-70b9-4a3b-9c14-fcc20c4623c6",
"name" : "bl",
"version" : "1.2.2",
"purl" : "pkg:npm/bl@1.2.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "bl@1.2.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "703da775-aa28-4d02-a68d-51814ec5759b",
"name" : "bl",
"version" : "1.1.2",
"purl" : "pkg:npm/bl@1.1.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "bl@1.1.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "98d3b6dc-0939-4142-b273-f473cd8598f8",
"name" : "body-parser",
"version" : "1.19.0",
"purl" : "pkg:npm/body-parser@1.19.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "body-parser@1.19.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "9586c461-43ec-4490-a81d-0dddbb7c7499",
"name" : "body-parser",
"version" : "1.18.3",
"purl" : "pkg:npm/body-parser@1.18.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "body-parser@1.18.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "8a9283a4-5f05-4547-8407-ef17659677b4",
"name" : "braces",
"version" : "2.3.2",
"purl" : "pkg:npm/braces@2.3.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "braces@2.3.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5984a3ae-27b4-40bc-9005-f9dc230ea2f4",
"name" : "busboy",
"version" : "0.3.1",
"purl" : "pkg:npm/busboy@0.3.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "busboy@0.3.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5547b27c-23dd-46c0-ad6b-53d1fd31cf2f",
"name" : "busboy",
"version" : "0.2.14",
"purl" : "pkg:npm/busboy@0.2.14",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "busboy@0.2.14"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "62582135-144f-444f-88f1-1c4fdaa3a0fd",
"name" : "cookie",
"version" : "0.4.0",
"purl" : "pkg:npm/cookie@0.4.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "cookie@0.4.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c00b8bc1-9790-42dc-9008-2acb707e4131",
"name" : "cookie",
"version" : "0.3.1",
"purl" : "pkg:npm/cookie@0.3.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "cookie@0.3.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "17344285-4458-42a8-9729-9a566a370ef9",
"name" : "cross-spawn",
"version" : "6.0.5",
"purl" : "pkg:npm/cross-spawn@6.0.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "cross-spawn@6.0.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "e2533426-9158-4d1c-9d4a-4012f8a86dbc",
"name" : "crypto-js",
"version" : "3.3.0",
"purl" : "pkg:npm/crypto-js@3.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "crypto-js@3.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "ebbb889b-149e-4ce5-ab65-f6f418698655",
"name" : "css-what",
"version" : "2.1.2",
"purl" : "pkg:npm/css-what@2.1.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "css-what@2.1.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "8bfdd074-7fdd-4e0c-84c7-dc3f361e5311",
"name" : "decode-uri-component",
"version" : "0.2.0",
"purl" : "pkg:npm/decode-uri-component@0.2.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "decode-uri-component@0.2.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "d2e6aafe-6a00-4754-951d-fe31888ceae3",
"name" : "dicer",
"version" : "0.3.0",
"purl" : "pkg:npm/dicer@0.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "dicer@0.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "2c38df3c-c0c2-4e77-b79f-b2385862c1b9",
"name" : "dicer",
"version" : "0.2.5",
"purl" : "pkg:npm/dicer@0.2.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "dicer@0.2.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f5e9b1be-2e32-4704-ace7-4492008009a8",
"name" : "ejs",
"version" : "2.6.1",
"purl" : "pkg:npm/ejs@2.6.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "ejs@2.6.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c89ebebb-8df0-4151-be02-3de585e1634b",
"name" : "engine.io",
"version" : "3.3.2",
"purl" : "pkg:npm/engine.io@3.3.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "engine.io@3.3.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "7ff6cea8-e853-4bfe-afca-48048a31e065",
"name" : "express",
"version" : "4.16.4",
"purl" : "pkg:npm/express@4.16.4",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "express@4.16.4"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f1e709d5-1536-4ab0-bdc4-9e241da81f6d",
"name" : "express",
"version" : "4.17.1",
"purl" : "pkg:npm/express@4.17.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "express@4.17.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "468c7e25-dc57-4054-90fa-b82a40265a80",
"name" : "fast-csv",
"version" : "2.4.1",
"purl" : "pkg:npm/fast-csv@2.4.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "fast-csv@2.4.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "721d52fd-7d66-441f-a6c2-5e07d72a899d",
"name" : "fast-xml-parser",
"version" : "3.12.11",
"purl" : "pkg:npm/fast-xml-parser@3.12.11",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "fast-xml-parser@3.12.11"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "8e9e4d99-1ad3-4846-8393-bf2cba3be27a",
"name" : "follow-redirects",
"version" : "1.14.2",
"purl" : "pkg:npm/follow-redirects@1.14.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "follow-redirects@1.14.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "69f8a4f3-47ce-4f91-86bc-0fc9899bf2d1",
"name" : "follow-redirects",
"version" : "1.13.2",
"purl" : "pkg:npm/follow-redirects@1.13.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "follow-redirects@1.13.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "216d9a98-0552-4433-b4e0-b082582b9e36",
"name" : "follow-redirects",
"version" : "1.6.0",
"purl" : "pkg:npm/follow-redirects@1.6.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "follow-redirects@1.6.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "4485e2f2-ea93-4efc-bdc1-419bc94d4822",
"name" : "glob-parent",
"version" : "3.1.0",
"purl" : "pkg:npm/glob-parent@3.1.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "glob-parent@3.1.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "915d578f-48aa-4117-baca-6205ed3a04fa",
"name" : "grpc",
"version" : "1.17.0",
"purl" : "pkg:npm/grpc@1.17.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "grpc@1.17.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "1153e29b-f8d8-45d8-be59-2df7af178c56",
"name" : "hawk",
"version" : "1.1.1",
"purl" : "pkg:npm/hawk@1.1.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "hawk@1.1.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "33cdd8a5-7055-4042-beb2-67dbf407f701",
"name" : "hawk",
"version" : "3.1.3",
"purl" : "pkg:npm/hawk@3.1.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "hawk@3.1.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "eb66b15b-e024-4432-aeef-5b8cfa608006",
"name" : "hoek",
"version" : "2.16.3",
"purl" : "pkg:npm/hoek@2.16.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "hoek@2.16.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "17ceabce-737c-41d9-9aef-502e00d88657",
"name" : "hoek",
"version" : "0.9.1",
"purl" : "pkg:npm/hoek@0.9.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "hoek@0.9.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "047864ee-b4d9-40c3-bd94-d8c9fd422c75",
"name" : "hosted-git-info",
"version" : "2.7.1",
"purl" : "pkg:npm/hosted-git-info@2.7.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "hosted-git-info@2.7.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5e597ba0-c8b6-413f-afbb-ae3705d5d60d",
"name" : "hummus",
"version" : "1.0.98",
"purl" : "pkg:npm/hummus@1.0.98",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "hummus@1.0.98"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c22d2641-4b77-41af-95e8-046a00d22e75",
"name" : "json-schema",
"version" : "0.2.3",
"purl" : "pkg:npm/json-schema@0.2.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "json-schema@0.2.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "22992d82-12c9-41ca-96a8-d1d8f6ef2f2d",
"name" : "jsonpointer",
"version" : "4.1.0",
"purl" : "pkg:npm/jsonpointer@4.1.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "jsonpointer@4.1.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c9af1ba1-df0f-40f3-8c0a-26076671c9be",
"name" : "jsonwebtoken",
"version" : "8.5.1",
"purl" : "pkg:npm/jsonwebtoken@8.5.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "jsonwebtoken@8.5.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "3c945a7c-68ae-4502-a26f-9465f8ea6001",
"name" : "lodash",
"version" : "4.17.20",
"purl" : "pkg:npm/lodash@4.17.20",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "lodash@4.17.20"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "0a3a2e17-0e1a-4d3a-a4a5-c5291d4eb99a",
"name" : "lodash",
"version" : "4.17.15",
"purl" : "pkg:npm/lodash@4.17.15",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "lodash@4.17.15"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "31b1fbf8-9dc6-4b78-87d3-a6ed0060370a",
"name" : "lodash",
"version" : "3.10.1",
"purl" : "pkg:npm/lodash@3.10.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "lodash@3.10.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f290afdf-abb9-4378-a2d1-474ff032c50f",
"name" : "log4js",
"version" : "0.6.38",
"purl" : "pkg:npm/log4js@0.6.38",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "log4js@0.6.38"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5d84ed98-68f2-436f-9a7c-331f7e929718",
"name" : "mathjs",
"version" : "5.4.0",
"purl" : "pkg:npm/mathjs@5.4.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "mathjs@5.4.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "def0b242-ba3d-4dd9-832a-2ca0c707c390",
"name" : "micromatch",
"version" : "3.1.10",
"purl" : "pkg:npm/micromatch@3.1.10",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "micromatch@3.1.10"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c92b2c3a-425b-4a16-b621-f5752cd4ec75",
"name" : "mime",
"version" : "1.2.11",
"purl" : "pkg:npm/mime@1.2.11",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "mime@1.2.11"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "6b99b5aa-d901-4b4d-b158-84dd42da9317",
"name" : "minimist",
"version" : "0.0.10",
"purl" : "pkg:npm/minimist@0.0.10",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "minimist@0.0.10"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "b1f354ba-a8db-4955-9706-8e85d88ff609",
"name" : "minimist",
"version" : "1.2.5",
"purl" : "pkg:npm/minimist@1.2.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "minimist@1.2.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "d37ac699-fd59-406a-ac27-1d98020c1dcf",
"name" : "minimist",
"version" : "1.2.0",
"purl" : "pkg:npm/minimist@1.2.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "minimist@1.2.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "41dea827-7c6b-457c-bbc2-5cf166e439cd",
"name" : "minimist",
"version" : "0.0.8",
"purl" : "pkg:npm/minimist@0.0.8",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "minimist@0.0.8"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "18381ecb-d696-49dd-9ed5-2cdfdd0be649",
"name" : "moment",
"version" : "2.23.0",
"purl" : "pkg:npm/moment@2.23.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "moment@2.23.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "75f6834d-0b5b-4901-8214-af9ac8840383",
"name" : "mongoose",
"version" : "5.13.21",
"purl" : "pkg:npm/mongoose@5.13.21",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "mongoose@5.13.21"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "7b12f4bf-8b57-41c1-acc1-0c644f909f42",
"name" : "mout",
"version" : "0.11.1",
"purl" : "pkg:npm/mout@0.11.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "mout@0.11.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "59f05901-82e5-42b4-8c5b-a0437c6bbd1c",
"name" : "mysql",
"version" : "2.16.0",
"purl" : "pkg:npm/mysql@2.16.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "mysql@2.16.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "b5ed2e7f-30cb-46f3-a4ca-d6d707751093",
"name" : "node-fetch",
"version" : "2.6.1",
"purl" : "pkg:npm/node-fetch@2.6.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "node-fetch@2.6.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d",
"name" : "node-forge",
"version" : "0.7.6",
"purl" : "pkg:npm/node-forge@0.7.6",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "node-forge@0.7.6"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "bd6da500-aec5-483a-8630-f5cd5ce1fb8b",
"name" : "node-forge",
"version" : "0.10.0",
"purl" : "pkg:npm/node-forge@0.10.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "node-forge@0.10.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "920a5335-bef4-4686-a07d-718fc7d9de06",
"name" : "node-qpdf",
"version" : "1.0.3",
"purl" : "pkg:npm/node-qpdf@1.0.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "node-qpdf@1.0.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "8486dc60-6358-4bd1-8d01-21c1a2ec9f9f",
"name" : "nodemailer",
"version" : "4.6.8",
"purl" : "pkg:npm/nodemailer@4.6.8",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "nodemailer@4.6.8"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5dc7b78e-d0ae-4d3d-a33e-3deef9dda63d",
"name" : "npm-bundled",
"version" : "1.0.6",
"purl" : "pkg:npm/npm-bundled@1.0.6",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "npm-bundled@1.0.6"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c62c320c-b467-44e2-b206-400437a77412",
"name" : "npm-bundled",
"version" : "1.0.5",
"purl" : "pkg:npm/npm-bundled@1.0.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "npm-bundled@1.0.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "faa83360-d436-4ec7-96ab-acfbe6fd0ae7",
"name" : "npm-packlist",
"version" : "1.4.1",
"purl" : "pkg:npm/npm-packlist@1.4.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "npm-packlist@1.4.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "d66c0398-c266-4ed5-a185-ce94c8e5c9f7",
"name" : "npm-packlist",
"version" : "1.1.12",
"purl" : "pkg:npm/npm-packlist@1.1.12",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "npm-packlist@1.1.12"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "18fef13c-0bb9-4f1e-8ee2-3a51c2a2ed04",
"name" : "nth-check",
"version" : "1.0.2",
"purl" : "pkg:npm/nth-check@1.0.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "nth-check@1.0.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "2a903d51-a32c-4df2-8d7b-c66def5f9794",
"name" : "object-path",
"version" : "0.11.5",
"purl" : "pkg:npm/object-path@0.11.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "object-path@0.11.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "136a7477-31db-4708-adcb-3def6db29859",
"name" : "openpgp",
"version" : "4.10.10",
"purl" : "pkg:npm/openpgp@4.10.10",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "openpgp@4.10.10"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "d176f69d-0d09-4876-b997-f7396ac890f2",
"name" : "passport",
"version" : "0.5.0",
"purl" : "pkg:npm/passport@0.5.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "passport@0.5.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "ae8c1178-71f3-4880-85bb-a0d87120f48e",
"name" : "path-to-regexp",
"version" : "0.1.7",
"purl" : "pkg:npm/path-to-regexp@0.1.7",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "path-to-regexp@0.1.7"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "a6ca8567-d0d4-4285-9487-0cf8956d683f",
"name" : "qs",
"version" : "6.7.0",
"purl" : "pkg:npm/qs@6.7.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "qs@6.7.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "a4bd6afd-7b45-4297-86ac-63a267818456",
"name" : "qs",
"version" : "6.9.6",
"purl" : "pkg:npm/qs@6.9.6",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "qs@6.9.6"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "dfdceb87-fff4-449f-922c-c043b7242140",
"name" : "qs",
"version" : "6.5.2",
"purl" : "pkg:npm/qs@6.5.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "qs@6.5.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "fdee68e7-8c5a-41be-b27b-b45e376d66e6",
"name" : "qs",
"version" : "5.2.1",
"purl" : "pkg:npm/qs@5.2.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "qs@5.2.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "8ad28874-5a60-4421-b2ca-5a96fe028be7",
"name" : "qs",
"version" : "1.2.2",
"purl" : "pkg:npm/qs@1.2.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "qs@1.2.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f7c6d07a-aeae-46ef-9f7f-0fa7c0622b0d",
"name" : "redis",
"version" : "2.8.0",
"purl" : "pkg:npm/redis@2.8.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "redis@2.8.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "38db9b17-508f-461e-b796-8480dee920b8",
"name" : "request",
"version" : "2.88.0",
"purl" : "pkg:npm/request@2.88.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "request@2.88.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f1d102fb-2e4b-4df6-9b00-9a9a3f9b06ac",
"name" : "request",
"version" : "2.75.0",
"purl" : "pkg:npm/request@2.75.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "request@2.75.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "cb77213d-08af-4a5d-920f-e12417f24cc1",
"name" : "request",
"version" : "2.67.0",
"purl" : "pkg:npm/request@2.67.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "request@2.67.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "207e3655-90d6-4936-bf5f-81a88bda4f9c",
"name" : "semver",
"version" : "4.3.6",
"purl" : "pkg:npm/semver@4.3.6",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "semver@4.3.6"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "b41c5a63-2518-4613-9483-e3dcc34bf8cc",
"name" : "semver",
"version" : "4.3.2",
"purl" : "pkg:npm/semver@4.3.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "semver@4.3.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "2b4d9664-d3f2-4d71-8967-80b4fdfc8f2c",
"name" : "semver",
"version" : "5.7.0",
"purl" : "pkg:npm/semver@5.7.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "semver@5.7.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "53ee9da7-cd2b-48fa-8ef1-a29b7a51edcf",
"name" : "semver",
"version" : "5.6.0",
"purl" : "pkg:npm/semver@5.6.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "semver@5.6.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "36528fb7-2708-4ba6-953e-c1b475f35b20",
"name" : "semver",
"version" : "5.3.0",
"purl" : "pkg:npm/semver@5.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "semver@5.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5bf47987-7e55-4924-a5dd-d77c272a3cd7",
"name" : "send",
"version" : "0.16.2",
"purl" : "pkg:npm/send@0.16.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "send@0.16.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5126a05d-cbbf-4b48-96aa-8e093caf97d2",
"name" : "send",
"version" : "0.17.1",
"purl" : "pkg:npm/send@0.17.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "send@0.17.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "269c2ef7-825c-4be4-95ed-9bd83b18c86f",
"name" : "serve-static",
"version" : "1.14.1",
"purl" : "pkg:npm/serve-static@1.14.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "serve-static@1.14.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "80dfdb64-9bcd-46d3-94e8-37daa10746fe",
"name" : "serve-static",
"version" : "1.13.2",
"purl" : "pkg:npm/serve-static@1.13.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "serve-static@1.13.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "880fb3fa-a744-45df-b2c1-00cb6f72211f",
"name" : "sharp",
"version" : "0.23.4",
"purl" : "pkg:npm/sharp@0.23.4",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "sharp@0.23.4"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "09ac9539-9841-4d6d-a508-73b45881b027",
"name" : "shelljs",
"version" : "0.7.8",
"purl" : "pkg:npm/shelljs@0.7.8",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "shelljs@0.7.8"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "98c978ad-e3c5-4245-8821-2439c6367668",
"name" : "socket.io",
"version" : "2.2.0",
"purl" : "pkg:npm/socket.io@2.2.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "socket.io@2.2.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "037df6d3-7286-4a55-ba4d-524f3b6d4512",
"name" : "socket.io-parser",
"version" : "3.3.0",
"purl" : "pkg:npm/socket.io-parser@3.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "socket.io-parser@3.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5d76ca9c-2c7f-4614-abc1-8c51bb3ae408",
"name" : "ssh2",
"version" : "0.6.1",
"purl" : "pkg:npm/ssh2@0.6.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "ssh2@0.6.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "f7814813-2e9e-4f6c-8326-338adbef15c7",
"name" : "swig",
"version" : "1.4.2",
"purl" : "pkg:npm/swig@1.4.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "swig@1.4.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "6aab9551-a356-4023-bcff-aab8cbe8e87b",
"name" : "tar",
"version" : "5.0.11",
"purl" : "pkg:npm/tar@5.0.11",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tar@5.0.11"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "697f3f30-1e4c-40cb-9dae-ddc902bc3265",
"name" : "tar",
"version" : "4.4.8",
"purl" : "pkg:npm/tar@4.4.8",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tar@4.4.8"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "884fd750-9b3c-4a31-b6ce-d44b0bbc400f",
"name" : "tar-fs",
"version" : "2.1.1",
"purl" : "pkg:npm/tar-fs@2.1.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tar-fs@2.1.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "9a84b1d5-c33c-44ff-b698-15d37e6de628",
"name" : "tar-fs",
"version" : "1.16.3",
"purl" : "pkg:npm/tar-fs@1.16.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tar-fs@1.16.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "3dcbd4cc-2660-4ba9-88c1-607ac9f38358",
"name" : "thenify",
"version" : "3.3.0",
"purl" : "pkg:npm/thenify@3.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "thenify@3.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "097d34e8-24f2-439b-9213-3262ccadfe7c",
"name" : "tough-cookie",
"version" : "2.2.2",
"purl" : "pkg:npm/tough-cookie@2.2.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tough-cookie@2.2.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5fc10ed3-fcc4-4df4-87a7-e08b959803e5",
"name" : "tough-cookie",
"version" : "2.3.4",
"purl" : "pkg:npm/tough-cookie@2.3.4",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tough-cookie@2.3.4"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "9372f464-8134-43ec-b60e-5586e17ea3d2",
"name" : "tough-cookie",
"version" : "2.4.3",
"purl" : "pkg:npm/tough-cookie@2.4.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "tough-cookie@2.4.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "2ca14b92-17e8-4e2c-a23e-27a6bc1199b4",
"name" : "trim-newlines",
"version" : "1.0.0",
"purl" : "pkg:npm/trim-newlines@1.0.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "trim-newlines@1.0.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "824174bd-5b3e-4a04-90d9-5b30cfaa216a",
"name" : "uglify-js",
"version" : "2.4.24",
"purl" : "pkg:npm/uglify-js@2.4.24",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "uglify-js@2.4.24"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "47789ea2-4a8c-4c5a-a9cc-c03ad728f16f",
"name" : "underscore",
"version" : "1.9.1",
"purl" : "pkg:npm/underscore@1.9.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "underscore@1.9.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "4987d8da-15b6-4ec3-bb4b-1fda9f6af8a4",
"name" : "underscore",
"version" : "1.4.4",
"purl" : "pkg:npm/underscore@1.4.4",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "underscore@1.4.4"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "72f2d929-ad42-45a1-affa-afca91153ce8",
"name" : "url-parse",
"version" : "1.4.7",
"purl" : "pkg:npm/url-parse@1.4.7",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "url-parse@1.4.7"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "57e1e6b6-8a26-42cf-a083-2ebfdf84077e",
"name" : "useragent",
"version" : "2.3.0",
"purl" : "pkg:npm/useragent@2.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "useragent@2.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "b8a52534-2c3d-4c14-b36f-1889febb5035",
"name" : "ws",
"version" : "6.1.2",
"purl" : "pkg:npm/ws@6.1.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "ws@6.1.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "5cb9cc8a-8025-4f14-a30f-36ad119c47e4",
"name" : "ws",
"version" : "5.2.2",
"purl" : "pkg:npm/ws@5.2.2",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "ws@5.2.2"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "499877c3-1177-4d82-958a-9f88525e8301",
"name" : "xlsx",
"version" : "0.8.8",
"purl" : "pkg:npm/xlsx@0.8.8",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "xlsx@0.8.8"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18",
"name" : "xlsx",
"version" : "0.14.3",
"purl" : "pkg:npm/xlsx@0.14.3",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "xlsx@0.14.3"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "c73d0e9a-304a-423d-81c9-d21b60bcb632",
"name" : "xml2js",
"version" : "0.4.19",
"purl" : "pkg:npm/xml2js@0.4.19",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "xml2js@0.4.19"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "db40e382-7903-4a4b-a064-593807b144ba",
"name" : "xmldom",
"version" : "0.3.0",
"purl" : "pkg:npm/xmldom@0.3.0",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "xmldom@0.3.0"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "b4c54966-788d-435f-b3cf-3c889d8ad20c",
"name" : "xmldom",
"version" : "0.1.31",
"purl" : "pkg:npm/xmldom@0.1.31",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "xmldom@0.1.31"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "566b7717-3790-49a2-9e82-8699e12771d1",
"name" : "xmlhttprequest-ssl",
"version" : "1.5.5",
"purl" : "pkg:npm/xmlhttprequest-ssl@1.5.5",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "xmlhttprequest-ssl@1.5.5"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "4d7b1364-fda8-4ae2-a857-8c1005a47f8d",
"name" : "y18n",
"version" : "3.2.1",
"purl" : "pkg:npm/y18n@3.2.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "y18n@3.2.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
},
{
"type" : "library",
"bom-ref" : "73cddb53-1340-4eb4-9f46-b73dd49256d9",
"name" : "yargs-parser",
"version" : "11.1.1",
"purl" : "pkg:npm/yargs-parser@11.1.1",
"properties" : [
{
"name" : "aquasecurity:trivy:PkgID",
"value" : "yargs-parser@11.1.1"
},
{
"name" : "aquasecurity:trivy:PkgType",
"value" : "npm"
}
]
}
],
"dependencies" : [
{
"ref" : "1e609ca8-d057-4b9f-9444-8b05338d2630",
"dependsOn" : [ ]
},
{
"ref" : "d63dd4c3-8e88-424e-92df-df43de60da9d",
"dependsOn" : [ ]
},
{
"ref" : "9ff407ea-7c4f-4999-97fa-d196ad26b16a",
"dependsOn" : [
"3c945a7c-68ae-4502-a26f-9465f8ea6001"
]
},
{
"ref" : "a4a74a4a-7ff3-4ec0-b449-0c1953950b14",
"dependsOn" : [ ]
},
{
"ref" : "35f50dfa-02fa-4bac-a09b-df329dc5131b",
"dependsOn" : [ ]
},
{
"ref" : "3312e655-f692-4114-8ca4-5a7a5264e8f8",
"dependsOn" : [ ]
},
{
"ref" : "62ab7c97-9e2c-4b12-8d98-2bde43627186",
"dependsOn" : [ ]
},
{
"ref" : "bf9977a0-8e7b-46d8-afb5-64022026f5d9",
"dependsOn" : [
"3c945a7c-68ae-4502-a26f-9465f8ea6001"
]
},
{
"ref" : "01b41eab-13c4-4f1c-9358-9b9449778b91",
"dependsOn" : [
"3c945a7c-68ae-4502-a26f-9465f8ea6001"
]
},
{
"ref" : "e93b9b00-289f-43f0-84e0-70707ede82c5",
"dependsOn" : [
"3c945a7c-68ae-4502-a26f-9465f8ea6001"
]
},
{
"ref" : "3639fbbf-c0c2-41fd-a18c-3c23641689eb",
"dependsOn" : [
"c73d0e9a-304a-423d-81c9-d21b60bcb632"
]
},
{
"ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4",
"dependsOn" : [
"216d9a98-0552-4433-b4e0-b082582b9e36"
]
},
{
"ref" : "b348190c-7219-4032-bb4f-a7f81f5c8f83",
"dependsOn" : [
"8e9e4d99-1ad3-4846-8393-bf2cba3be27a"
]
},
{
"ref" : "990a45d3-28b9-46bd-a21c-d40ee732d554",
"dependsOn" : [ ]
},
{
"ref" : "6a8c0a4b-4670-44a8-989c-462681967fc8",
"dependsOn" : [ ]
},
{
"ref" : "85ba9331-70b9-4a3b-9c14-fcc20c4623c6",
"dependsOn" : [ ]
},
{
"ref" : "703da775-aa28-4d02-a68d-51814ec5759b",
"dependsOn" : [ ]
},
{
"ref" : "98d3b6dc-0939-4142-b273-f473cd8598f8",
"dependsOn" : [
"a6ca8567-d0d4-4285-9487-0cf8956d683f"
]
},
{
"ref" : "9586c461-43ec-4490-a81d-0dddbb7c7499",
"dependsOn" : [
"dfdceb87-fff4-449f-922c-c043b7242140"
]
},
{
"ref" : "8a9283a4-5f05-4547-8407-ef17659677b4",
"dependsOn" : [ ]
},
{
"ref" : "5984a3ae-27b4-40bc-9005-f9dc230ea2f4",
"dependsOn" : [
"d2e6aafe-6a00-4754-951d-fe31888ceae3"
]
},
{
"ref" : "5547b27c-23dd-46c0-ad6b-53d1fd31cf2f",
"dependsOn" : [
"2c38df3c-c0c2-4e77-b79f-b2385862c1b9"
]
},
{
"ref" : "62582135-144f-444f-88f1-1c4fdaa3a0fd",
"dependsOn" : [ ]
},
{
"ref" : "c00b8bc1-9790-42dc-9008-2acb707e4131",
"dependsOn" : [ ]
},
{
"ref" : "17344285-4458-42a8-9729-9a566a370ef9",
"dependsOn" : [
"53ee9da7-cd2b-48fa-8ef1-a29b7a51edcf"
]
},
{
"ref" : "e2533426-9158-4d1c-9d4a-4012f8a86dbc",
"dependsOn" : [ ]
},
{
"ref" : "ebbb889b-149e-4ce5-ab65-f6f418698655",
"dependsOn" : [ ]
},
{
"ref" : "8bfdd074-7fdd-4e0c-84c7-dc3f361e5311",
"dependsOn" : [ ]
},
{
"ref" : "d2e6aafe-6a00-4754-951d-fe31888ceae3",
"dependsOn" : [ ]
},
{
"ref" : "2c38df3c-c0c2-4e77-b79f-b2385862c1b9",
"dependsOn" : [ ]
},
{
"ref" : "f5e9b1be-2e32-4704-ace7-4492008009a8",
"dependsOn" : [ ]
},
{
"ref" : "c89ebebb-8df0-4151-be02-3de585e1634b",
"dependsOn" : [
"b8a52534-2c3d-4c14-b36f-1889febb5035",
"c00b8bc1-9790-42dc-9008-2acb707e4131"
]
},
{
"ref" : "7ff6cea8-e853-4bfe-afca-48048a31e065",
"dependsOn" : [
"5bf47987-7e55-4924-a5dd-d77c272a3cd7",
"80dfdb64-9bcd-46d3-94e8-37daa10746fe",
"9586c461-43ec-4490-a81d-0dddbb7c7499",
"c00b8bc1-9790-42dc-9008-2acb707e4131",
"ae8c1178-71f3-4880-85bb-a0d87120f48e",
"dfdceb87-fff4-449f-922c-c043b7242140"
]
},
{
"ref" : "f1e709d5-1536-4ab0-bdc4-9e241da81f6d",
"dependsOn" : [
"5126a05d-cbbf-4b48-96aa-8e093caf97d2",
"269c2ef7-825c-4be4-95ed-9bd83b18c86f",
"98d3b6dc-0939-4142-b273-f473cd8598f8",
"62582135-144f-444f-88f1-1c4fdaa3a0fd",
"ae8c1178-71f3-4880-85bb-a0d87120f48e",
"a6ca8567-d0d4-4285-9487-0cf8956d683f"
]
},
{
"ref" : "468c7e25-dc57-4054-90fa-b82a40265a80",
"dependsOn" : [ ]
},
{
"ref" : "721d52fd-7d66-441f-a6c2-5e07d72a899d",
"dependsOn" : [ ]
},
{
"ref" : "8e9e4d99-1ad3-4846-8393-bf2cba3be27a",
"dependsOn" : [ ]
},
{
"ref" : "69f8a4f3-47ce-4f91-86bc-0fc9899bf2d1",
"dependsOn" : [ ]
},
{
"ref" : "216d9a98-0552-4433-b4e0-b082582b9e36",
"dependsOn" : [ ]
},
{
"ref" : "4485e2f2-ea93-4efc-bdc1-419bc94d4822",
"dependsOn" : [ ]
},
{
"ref" : "915d578f-48aa-4117-baca-6205ed3a04fa",
"dependsOn" : [ ]
},
{
"ref" : "1153e29b-f8d8-45d8-be59-2df7af178c56",
"dependsOn" : [
"17ceabce-737c-41d9-9aef-502e00d88657"
]
},
{
"ref" : "33cdd8a5-7055-4042-beb2-67dbf407f701",
"dependsOn" : [
"eb66b15b-e024-4432-aeef-5b8cfa608006"
]
},
{
"ref" : "eb66b15b-e024-4432-aeef-5b8cfa608006",
"dependsOn" : [ ]
},
{
"ref" : "17ceabce-737c-41d9-9aef-502e00d88657",
"dependsOn" : [ ]
},
{
"ref" : "047864ee-b4d9-40c3-bd94-d8c9fd422c75",
"dependsOn" : [ ]
},
{
"ref" : "5e597ba0-c8b6-413f-afbb-ae3705d5d60d",
"dependsOn" : [ ]
},
{
"ref" : "c22d2641-4b77-41af-95e8-046a00d22e75",
"dependsOn" : [ ]
},
{
"ref" : "22992d82-12c9-41ca-96a8-d1d8f6ef2f2d",
"dependsOn" : [ ]
},
{
"ref" : "c9af1ba1-df0f-40f3-8c0a-26076671c9be",
"dependsOn" : [
"53ee9da7-cd2b-48fa-8ef1-a29b7a51edcf"
]
},
{
"ref" : "3c945a7c-68ae-4502-a26f-9465f8ea6001",
"dependsOn" : [ ]
},
{
"ref" : "0a3a2e17-0e1a-4d3a-a4a5-c5291d4eb99a",
"dependsOn" : [ ]
},
{
"ref" : "31b1fbf8-9dc6-4b78-87d3-a6ed0060370a",
"dependsOn" : [ ]
},
{
"ref" : "f290afdf-abb9-4378-a2d1-474ff032c50f",
"dependsOn" : [
"207e3655-90d6-4936-bf5f-81a88bda4f9c"
]
},
{
"ref" : "5d84ed98-68f2-436f-9a7c-331f7e929718",
"dependsOn" : [ ]
},
{
"ref" : "def0b242-ba3d-4dd9-832a-2ca0c707c390",
"dependsOn" : [
"8a9283a4-5f05-4547-8407-ef17659677b4"
]
},
{
"ref" : "c92b2c3a-425b-4a16-b621-f5752cd4ec75",
"dependsOn" : [ ]
},
{
"ref" : "6b99b5aa-d901-4b4d-b158-84dd42da9317",
"dependsOn" : [ ]
},
{
"ref" : "b1f354ba-a8db-4955-9706-8e85d88ff609",
"dependsOn" : [ ]
},
{
"ref" : "d37ac699-fd59-406a-ac27-1d98020c1dcf",
"dependsOn" : [ ]
},
{
"ref" : "41dea827-7c6b-457c-bbc2-5cf166e439cd",
"dependsOn" : [ ]
},
{
"ref" : "18381ecb-d696-49dd-9ed5-2cdfdd0be649",
"dependsOn" : [ ]
},
{
"ref" : "75f6834d-0b5b-4901-8214-af9ac8840383",
"dependsOn" : [ ]
},
{
"ref" : "7b12f4bf-8b57-41c1-acc1-0c644f909f42",
"dependsOn" : [ ]
},
{
"ref" : "59f05901-82e5-42b4-8c5b-a0437c6bbd1c",
"dependsOn" : [ ]
},
{
"ref" : "b5ed2e7f-30cb-46f3-a4ca-d6d707751093",
"dependsOn" : [ ]
},
{
"ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d",
"dependsOn" : [ ]
},
{
"ref" : "bd6da500-aec5-483a-8630-f5cd5ce1fb8b",
"dependsOn" : [ ]
},
{
"ref" : "920a5335-bef4-4686-a07d-718fc7d9de06",
"dependsOn" : [ ]
},
{
"ref" : "8486dc60-6358-4bd1-8d01-21c1a2ec9f9f",
"dependsOn" : [ ]
},
{
"ref" : "5dc7b78e-d0ae-4d3d-a33e-3deef9dda63d",
"dependsOn" : [ ]
},
{
"ref" : "c62c320c-b467-44e2-b206-400437a77412",
"dependsOn" : [ ]
},
{
"ref" : "faa83360-d436-4ec7-96ab-acfbe6fd0ae7",
"dependsOn" : [
"5dc7b78e-d0ae-4d3d-a33e-3deef9dda63d"
]
},
{
"ref" : "d66c0398-c266-4ed5-a185-ce94c8e5c9f7",
"dependsOn" : [
"c62c320c-b467-44e2-b206-400437a77412"
]
},
{
"ref" : "18fef13c-0bb9-4f1e-8ee2-3a51c2a2ed04",
"dependsOn" : [ ]
},
{
"ref" : "2a903d51-a32c-4df2-8d7b-c66def5f9794",
"dependsOn" : [ ]
},
{
"ref" : "136a7477-31db-4708-adcb-3def6db29859",
"dependsOn" : [
"b5ed2e7f-30cb-46f3-a4ca-d6d707751093"
]
},
{
"ref" : "d176f69d-0d09-4876-b997-f7396ac890f2",
"dependsOn" : [ ]
},
{
"ref" : "ae8c1178-71f3-4880-85bb-a0d87120f48e",
"dependsOn" : [ ]
},
{
"ref" : "a6ca8567-d0d4-4285-9487-0cf8956d683f",
"dependsOn" : [ ]
},
{
"ref" : "a4bd6afd-7b45-4297-86ac-63a267818456",
"dependsOn" : [ ]
},
{
"ref" : "dfdceb87-fff4-449f-922c-c043b7242140",
"dependsOn" : [ ]
},
{
"ref" : "fdee68e7-8c5a-41be-b27b-b45e376d66e6",
"dependsOn" : [ ]
},
{
"ref" : "8ad28874-5a60-4421-b2ca-5a96fe028be7",
"dependsOn" : [ ]
},
{
"ref" : "f7c6d07a-aeae-46ef-9f7f-0fa7c0622b0d",
"dependsOn" : [ ]
},
{
"ref" : "38db9b17-508f-461e-b796-8480dee920b8",
"dependsOn" : [
"9372f464-8134-43ec-b60e-5586e17ea3d2",
"dfdceb87-fff4-449f-922c-c043b7242140"
]
},
{
"ref" : "f1d102fb-2e4b-4df6-9b00-9a9a3f9b06ac",
"dependsOn" : [
"33cdd8a5-7055-4042-beb2-67dbf407f701",
"703da775-aa28-4d02-a68d-51814ec5759b",
"5fc10ed3-fcc4-4df4-87a7-e08b959803e5"
]
},
{
"ref" : "cb77213d-08af-4a5d-920f-e12417f24cc1",
"dependsOn" : [
"fdee68e7-8c5a-41be-b27b-b45e376d66e6",
"33cdd8a5-7055-4042-beb2-67dbf407f701",
"6a8c0a4b-4670-44a8-989c-462681967fc8",
"097d34e8-24f2-439b-9213-3262ccadfe7c"
]
},
{
"ref" : "207e3655-90d6-4936-bf5f-81a88bda4f9c",
"dependsOn" : [ ]
},
{
"ref" : "b41c5a63-2518-4613-9483-e3dcc34bf8cc",
"dependsOn" : [ ]
},
{
"ref" : "2b4d9664-d3f2-4d71-8967-80b4fdfc8f2c",
"dependsOn" : [ ]
},
{
"ref" : "53ee9da7-cd2b-48fa-8ef1-a29b7a51edcf",
"dependsOn" : [ ]
},
{
"ref" : "36528fb7-2708-4ba6-953e-c1b475f35b20",
"dependsOn" : [ ]
},
{
"ref" : "5bf47987-7e55-4924-a5dd-d77c272a3cd7",
"dependsOn" : [ ]
},
{
"ref" : "5126a05d-cbbf-4b48-96aa-8e093caf97d2",
"dependsOn" : [ ]
},
{
"ref" : "269c2ef7-825c-4be4-95ed-9bd83b18c86f",
"dependsOn" : [
"5126a05d-cbbf-4b48-96aa-8e093caf97d2"
]
},
{
"ref" : "80dfdb64-9bcd-46d3-94e8-37daa10746fe",
"dependsOn" : [
"5bf47987-7e55-4924-a5dd-d77c272a3cd7"
]
},
{
"ref" : "880fb3fa-a744-45df-b2c1-00cb6f72211f",
"dependsOn" : [
"6aab9551-a356-4023-bcff-aab8cbe8e87b"
]
},
{
"ref" : "09ac9539-9841-4d6d-a508-73b45881b027",
"dependsOn" : [ ]
},
{
"ref" : "98c978ad-e3c5-4245-8821-2439c6367668",
"dependsOn" : [
"c89ebebb-8df0-4151-be02-3de585e1634b",
"037df6d3-7286-4a55-ba4d-524f3b6d4512"
]
},
{
"ref" : "037df6d3-7286-4a55-ba4d-524f3b6d4512",
"dependsOn" : [ ]
},
{
"ref" : "5d76ca9c-2c7f-4614-abc1-8c51bb3ae408",
"dependsOn" : [ ]
},
{
"ref" : "f7814813-2e9e-4f6c-8326-338adbef15c7",
"dependsOn" : [
"824174bd-5b3e-4a04-90d9-5b30cfaa216a"
]
},
{
"ref" : "6aab9551-a356-4023-bcff-aab8cbe8e87b",
"dependsOn" : [ ]
},
{
"ref" : "697f3f30-1e4c-40cb-9dae-ddc902bc3265",
"dependsOn" : [ ]
},
{
"ref" : "884fd750-9b3c-4a31-b6ce-d44b0bbc400f",
"dependsOn" : [ ]
},
{
"ref" : "9a84b1d5-c33c-44ff-b698-15d37e6de628",
"dependsOn" : [ ]
},
{
"ref" : "3dcbd4cc-2660-4ba9-88c1-607ac9f38358",
"dependsOn" : [ ]
},
{
"ref" : "097d34e8-24f2-439b-9213-3262ccadfe7c",
"dependsOn" : [ ]
},
{
"ref" : "5fc10ed3-fcc4-4df4-87a7-e08b959803e5",
"dependsOn" : [ ]
},
{
"ref" : "9372f464-8134-43ec-b60e-5586e17ea3d2",
"dependsOn" : [ ]
},
{
"ref" : "2ca14b92-17e8-4e2c-a23e-27a6bc1199b4",
"dependsOn" : [ ]
},
{
"ref" : "824174bd-5b3e-4a04-90d9-5b30cfaa216a",
"dependsOn" : [ ]
},
{
"ref" : "47789ea2-4a8c-4c5a-a9cc-c03ad728f16f",
"dependsOn" : [ ]
},
{
"ref" : "4987d8da-15b6-4ec3-bb4b-1fda9f6af8a4",
"dependsOn" : [ ]
},
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8",
"dependsOn" : [ ]
},
{
"ref" : "57e1e6b6-8a26-42cf-a083-2ebfdf84077e",
"dependsOn" : [ ]
},
{
"ref" : "b8a52534-2c3d-4c14-b36f-1889febb5035",
"dependsOn" : [ ]
},
{
"ref" : "5cb9cc8a-8025-4f14-a30f-36ad119c47e4",
"dependsOn" : [ ]
},
{
"ref" : "499877c3-1177-4d82-958a-9f88525e8301",
"dependsOn" : [ ]
},
{
"ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18",
"dependsOn" : [ ]
},
{
"ref" : "c73d0e9a-304a-423d-81c9-d21b60bcb632",
"dependsOn" : [ ]
},
{
"ref" : "db40e382-7903-4a4b-a064-593807b144ba",
"dependsOn" : [ ]
},
{
"ref" : "b4c54966-788d-435f-b3cf-3c889d8ad20c",
"dependsOn" : [ ]
},
{
"ref" : "566b7717-3790-49a2-9e82-8699e12771d1",
"dependsOn" : [ ]
},
{
"ref" : "4d7b1364-fda8-4ae2-a857-8c1005a47f8d",
"dependsOn" : [ ]
},
{
"ref" : "73cddb53-1340-4eb4-9f46-b73dd49256d9",
"dependsOn" : [ ]
}
],
"vulnerabilities" : [
{
"bom-ref" : "d76550cf-cbad-404d-a2dd-211d0280ccb7",
"id" : "CVE-2023-26159",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
601
],
"description" : "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",
"published" : "2024-01-02T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "69f8a4f3-47ce-4f91-86bc-0fc9899bf2d1"
}
]
},
{
"bom-ref" : "42b16e9c-680e-4555-a803-2c4d5664115a",
"id" : "CVE-2024-28849",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"published" : "2024-03-14T17:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "69f8a4f3-47ce-4f91-86bc-0fc9899bf2d1"
}
]
},
{
"bom-ref" : "0415a87a-0e22-4873-8073-6505e80866f3",
"id" : "CVE-2022-0155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
}
],
"description" : "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",
"published" : "2022-01-10T20:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "8e9e4d99-1ad3-4846-8393-bf2cba3be27a"
}
]
},
{
"bom-ref" : "56b11ae7-fc1a-4bd1-af82-50a43fbe5649",
"id" : "CVE-2022-0536",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.9,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description" : "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.",
"published" : "2022-02-09T11:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "8e9e4d99-1ad3-4846-8393-bf2cba3be27a"
}
]
},
{
"bom-ref" : "d76550cf-cbad-404d-a2dd-211d0280ccb7",
"id" : "CVE-2023-26159",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
601
],
"description" : "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",
"published" : "2024-01-02T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "8e9e4d99-1ad3-4846-8393-bf2cba3be27a"
}
]
},
{
"bom-ref" : "42b16e9c-680e-4555-a803-2c4d5664115a",
"id" : "CVE-2024-28849",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"published" : "2024-03-14T17:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "8e9e4d99-1ad3-4846-8393-bf2cba3be27a"
}
]
},
{
"bom-ref" : "7223793c-5ea5-456c-a7f5-663ab72e82b3",
"id" : "CVE-2018-3728",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
471
],
"description" : "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"published" : "2018-03-30T19:29:00Z",
"updated" : "2024-11-21T04:05:00Z",
"affects" : [
{
"ref" : "17ceabce-737c-41d9-9aef-502e00d88657"
}
]
},
{
"bom-ref" : "7223793c-5ea5-456c-a7f5-663ab72e82b3",
"id" : "CVE-2018-3728",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
471
],
"description" : "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"published" : "2018-03-30T19:29:00Z",
"updated" : "2024-11-21T04:05:00Z",
"affects" : [
{
"ref" : "eb66b15b-e024-4432-aeef-5b8cfa608006"
}
]
},
{
"bom-ref" : "4fa19ce8-d69b-4048-84b3-0ba7cf8ef8c4",
"id" : "CVE-2021-23362",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"cwes" : [
1333
],
"description" : "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.",
"published" : "2021-03-23T17:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "047864ee-b4d9-40c3-bd94-d8c9fd422c75"
}
]
},
{
"bom-ref" : "6ff1ee65-d6cd-46b1-bdae-33b584a1be39",
"id" : "CVE-2021-3918",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
"published" : "2021-11-13T09:15:00Z",
"updated" : "2025-01-17T20:15:00Z",
"affects" : [
{
"ref" : "c22d2641-4b77-41af-95e8-046a00d22e75"
}
]
},
{
"bom-ref" : "1793f36f-a5c5-42be-a2f7-27b25b622c99",
"id" : "CVE-2018-1002204",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
}
],
"cwes" : [
22
],
"description" : "adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.",
"published" : "2018-07-25T17:29:00Z",
"updated" : "2024-11-21T03:40:00Z",
"affects" : [
{
"ref" : "a4a74a4a-7ff3-4ec0-b449-0c1953950b14"
}
]
},
{
"bom-ref" : "83a102f8-cde5-4b77-9765-d063140fb254",
"id" : "CVE-2021-3807",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
"published" : "2021-09-17T07:15:00Z",
"updated" : "2024-11-21T06:22:00Z",
"affects" : [
{
"ref" : "3312e655-f692-4114-8ca4-5a7a5264e8f8"
}
]
},
{
"bom-ref" : "fe7eb43c-815f-47fc-9760-46154d4735ee",
"id" : "CVE-2021-43138",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
"published" : "2022-04-06T17:15:00Z",
"updated" : "2024-11-21T06:28:00Z",
"affects" : [
{
"ref" : "62ab7c97-9e2c-4b12-8d98-2bde43627186"
}
]
},
{
"bom-ref" : "15021485-3fde-4f44-abad-711f66be91b5",
"id" : "CVE-2024-39249",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.",
"published" : "2024-07-01T20:15:00Z",
"updated" : "2024-11-21T09:27:00Z",
"affects" : [
{
"ref" : "62ab7c97-9e2c-4b12-8d98-2bde43627186"
}
]
},
{
"bom-ref" : "fb23cddf-7824-450a-a008-d8cb55ac5aa4",
"id" : "CVE-2024-47764",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.",
"published" : "2024-10-04T20:15:00Z",
"updated" : "2024-10-07T17:48:00Z",
"affects" : [
{
"ref" : "c00b8bc1-9790-42dc-9008-2acb707e4131"
}
]
},
{
"bom-ref" : "fb23cddf-7824-450a-a008-d8cb55ac5aa4",
"id" : "CVE-2024-47764",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.",
"published" : "2024-10-04T20:15:00Z",
"updated" : "2024-10-07T17:48:00Z",
"affects" : [
{
"ref" : "62582135-144f-444f-88f1-1c4fdaa3a0fd"
}
]
},
{
"bom-ref" : "d837ea41-4824-40b3-974a-e887518c2ae6",
"id" : "CVE-2023-46233",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.1,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
],
"cwes" : [
327
],
"description" : "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.",
"published" : "2023-10-25T21:15:00Z",
"updated" : "2024-11-21T08:28:00Z",
"affects" : [
{
"ref" : "e2533426-9158-4d1c-9d4a-4012f8a86dbc"
}
]
},
{
"bom-ref" : "cab77fde-d0e0-4c97-91ee-869d9600674c",
"id" : "CVE-2020-36732",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"cwes" : [
330
],
"description" : "The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string \"0.\" with an integer, which makes the output more predictable than necessary.",
"published" : "2023-06-12T02:15:00Z",
"updated" : "2025-01-06T18:15:00Z",
"affects" : [
{
"ref" : "e2533426-9158-4d1c-9d4a-4012f8a86dbc"
}
]
},
{
"bom-ref" : "1846daaf-3130-423b-8f37-f00f35bbacfd",
"id" : "CVE-2022-21222",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.",
"published" : "2022-09-30T05:15:00Z",
"updated" : "2024-11-21T06:44:00Z",
"affects" : [
{
"ref" : "ebbb889b-149e-4ce5-ab65-f6f418698655"
}
]
},
{
"bom-ref" : "735d11d9-4046-415d-8c9e-150df3ed2f6a",
"id" : "CVE-2022-38900",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
20
],
"description" : "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.",
"published" : "2022-11-28T13:15:00Z",
"updated" : "2024-11-21T07:17:00Z",
"affects" : [
{
"ref" : "8bfdd074-7fdd-4e0c-84c7-dc3f361e5311"
}
]
},
{
"bom-ref" : "031583a6-1fe9-423d-9305-efeeca353172",
"id" : "CVE-2022-29078",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
94
],
"description" : "The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).",
"published" : "2022-04-25T15:15:00Z",
"updated" : "2024-11-21T06:58:00Z",
"affects" : [
{
"ref" : "f5e9b1be-2e32-4704-ace7-4492008009a8"
}
]
},
{
"bom-ref" : "c761706d-7ef5-43c5-97cb-13564dcd44a0",
"id" : "CVE-2024-33883",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.",
"published" : "2024-04-28T16:15:00Z",
"updated" : "2024-11-21T09:17:00Z",
"affects" : [
{
"ref" : "f5e9b1be-2e32-4704-ace7-4492008009a8"
}
]
},
{
"bom-ref" : "0415a87a-0e22-4873-8073-6505e80866f3",
"id" : "CVE-2022-0155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
}
],
"description" : "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",
"published" : "2022-01-10T20:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "69f8a4f3-47ce-4f91-86bc-0fc9899bf2d1"
}
]
},
{
"bom-ref" : "56b11ae7-fc1a-4bd1-af82-50a43fbe5649",
"id" : "CVE-2022-0536",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.9,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description" : "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.",
"published" : "2022-02-09T11:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "69f8a4f3-47ce-4f91-86bc-0fc9899bf2d1"
}
]
},
{
"bom-ref" : "cf66f81d-3129-472d-8a21-43a61c1b74a1",
"id" : "CVE-2021-23807",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
843
],
"description" : "This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.",
"published" : "2021-11-03T18:15:00Z",
"updated" : "2025-03-05T16:24:00Z",
"affects" : [
{
"ref" : "22992d82-12c9-41ca-96a8-d1d8f6ef2f2d"
}
]
},
{
"bom-ref" : "ee7e6e2a-dd48-4cff-8f3c-522167df6bbd",
"id" : "CVE-2020-28500",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"description" : "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.",
"published" : "2021-02-15T11:15:00Z",
"updated" : "2024-11-21T05:22:00Z",
"affects" : [
{
"ref" : "0a3a2e17-0e1a-4d3a-a4a5-c5291d4eb99a"
}
]
},
{
"bom-ref" : "85f4753e-6d8a-40dc-9a5c-5b9cadef447f",
"id" : "CVE-2021-23337",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.2,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
94
],
"description" : "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
"published" : "2021-02-15T13:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "0a3a2e17-0e1a-4d3a-a4a5-c5291d4eb99a"
}
]
},
{
"bom-ref" : "2807b1d0-d4a2-460e-8be5-8918f335d49f",
"id" : "CVE-2020-8203",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.4,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.",
"published" : "2020-07-15T17:15:00Z",
"updated" : "2024-11-21T05:38:00Z",
"affects" : [
{
"ref" : "0a3a2e17-0e1a-4d3a-a4a5-c5291d4eb99a"
}
]
},
{
"bom-ref" : "ee7e6e2a-dd48-4cff-8f3c-522167df6bbd",
"id" : "CVE-2020-28500",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"description" : "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.",
"published" : "2021-02-15T11:15:00Z",
"updated" : "2024-11-21T05:22:00Z",
"affects" : [
{
"ref" : "3c945a7c-68ae-4502-a26f-9465f8ea6001"
}
]
},
{
"bom-ref" : "85f4753e-6d8a-40dc-9a5c-5b9cadef447f",
"id" : "CVE-2021-23337",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.2,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
94
],
"description" : "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
"published" : "2021-02-15T13:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "3c945a7c-68ae-4502-a26f-9465f8ea6001"
}
]
},
{
"bom-ref" : "825e172a-359e-48ba-8e75-636343072ea2",
"id" : "CVE-2017-16138",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.",
"published" : "2018-06-07T02:29:00Z",
"updated" : "2024-11-21T03:15:00Z",
"affects" : [
{
"ref" : "c92b2c3a-425b-4a16-b621-f5752cd4ec75"
}
]
},
{
"bom-ref" : "2b595a33-5616-48b9-8ee9-b6791f2d346b",
"id" : "CVE-2020-7598",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.6,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes" : [
1321
],
"description" : "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.",
"published" : "2020-03-11T23:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "6b99b5aa-d901-4b4d-b158-84dd42da9317"
}
]
},
{
"bom-ref" : "2b595a33-5616-48b9-8ee9-b6791f2d346b",
"id" : "CVE-2020-7598",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.6,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes" : [
1321
],
"description" : "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.",
"published" : "2020-03-11T23:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "41dea827-7c6b-457c-bbc2-5cf166e439cd"
}
]
},
{
"bom-ref" : "2b595a33-5616-48b9-8ee9-b6791f2d346b",
"id" : "CVE-2020-7598",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.6,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes" : [
1321
],
"description" : "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.",
"published" : "2020-03-11T23:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "d37ac699-fd59-406a-ac27-1d98020c1dcf"
}
]
},
{
"bom-ref" : "b2fabce2-5545-4eeb-9ee6-19802fa7f663",
"id" : "CVE-2021-44906",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).",
"published" : "2022-03-17T16:15:00Z",
"updated" : "2024-11-21T06:31:00Z",
"affects" : [
{
"ref" : "b1f354ba-a8db-4955-9706-8e85d88ff609"
}
]
},
{
"bom-ref" : "21840f5e-fc26-4c2b-beef-7f15f685b939",
"id" : "CVE-2022-24785",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.",
"published" : "2022-04-04T17:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "18381ecb-d696-49dd-9ed5-2cdfdd0be649"
}
]
},
{
"bom-ref" : "7ee18d02-0693-4090-9465-198fc632bf5a",
"id" : "CVE-2022-31129",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.",
"published" : "2022-07-06T18:15:00Z",
"updated" : "2024-11-21T07:03:00Z",
"affects" : [
{
"ref" : "18381ecb-d696-49dd-9ed5-2cdfdd0be649"
}
]
},
{
"bom-ref" : "4b7df158-acdb-43f0-adc1-2b18f8b94fe0",
"id" : "CVE-2020-7792",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
}
],
"cwes" : [
1321
],
"description" : "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.",
"published" : "2020-12-11T11:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "7b12f4bf-8b57-41c1-acc1-0c644f909f42"
}
]
},
{
"bom-ref" : "05b57360-fabc-4b38-88ca-120ffd717da3",
"id" : "CVE-2022-21213",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).",
"published" : "2022-06-17T20:15:00Z",
"updated" : "2024-11-21T06:44:00Z",
"affects" : [
{
"ref" : "7b12f4bf-8b57-41c1-acc1-0c644f909f42"
}
]
},
{
"bom-ref" : "de8a7739-7bdd-41b9-a04f-4bfe5d9504a8",
"id" : "CVE-2022-0235",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"description" : "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",
"published" : "2022-01-16T17:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "b5ed2e7f-30cb-46f3-a4ca-d6d707751093"
}
]
},
{
"bom-ref" : "c6bdfb65-e8ae-49a2-a1ee-2bbf029c2508",
"id" : "CVE-2022-0122",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"description" : "forge is vulnerable to URL Redirection to Untrusted Site",
"published" : "2022-01-06T05:15:00Z",
"updated" : "2024-11-21T06:37:00Z",
"affects" : [
{
"ref" : "bd6da500-aec5-483a-8630-f5cd5ce1fb8b"
}
]
},
{
"bom-ref" : "60a49ac4-6841-4c9e-bbc3-e6d96c8a48ae",
"id" : "CVE-2022-24771",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.",
"published" : "2022-03-18T14:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "bd6da500-aec5-483a-8630-f5cd5ce1fb8b"
}
]
},
{
"bom-ref" : "79756fb5-e306-456a-8559-7c5a3c7f69f5",
"id" : "CVE-2022-24772",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.",
"published" : "2022-03-18T14:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "bd6da500-aec5-483a-8630-f5cd5ce1fb8b"
}
]
},
{
"bom-ref" : "92f118d2-1a8e-4b97-9e70-d7d2a8d759da",
"id" : "CVE-2022-24773",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.",
"published" : "2022-03-18T14:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "bd6da500-aec5-483a-8630-f5cd5ce1fb8b"
}
]
},
{
"bom-ref" : "ac25f027-624c-4bb3-b7ac-9c43e54a99da",
"id" : "CVE-2020-7720",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.3,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes" : [
1321
],
"description" : "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.",
"published" : "2020-09-01T10:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d"
}
]
},
{
"bom-ref" : "c6bdfb65-e8ae-49a2-a1ee-2bbf029c2508",
"id" : "CVE-2022-0122",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"description" : "forge is vulnerable to URL Redirection to Untrusted Site",
"published" : "2022-01-06T05:15:00Z",
"updated" : "2024-11-21T06:37:00Z",
"affects" : [
{
"ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d"
}
]
},
{
"bom-ref" : "60a49ac4-6841-4c9e-bbc3-e6d96c8a48ae",
"id" : "CVE-2022-24771",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.",
"published" : "2022-03-18T14:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d"
}
]
},
{
"bom-ref" : "79756fb5-e306-456a-8559-7c5a3c7f69f5",
"id" : "CVE-2022-24772",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.",
"published" : "2022-03-18T14:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d"
}
]
},
{
"bom-ref" : "92f118d2-1a8e-4b97-9e70-d7d2a8d759da",
"id" : "CVE-2022-24773",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.",
"published" : "2022-03-18T14:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "5041d1c9-a6d9-49e2-85dd-79b582c6633d"
}
]
},
{
"bom-ref" : "59f58b44-3e6c-43f0-858f-f323d58126fb",
"id" : "CVE-2023-26155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
77
],
"description" : "All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.",
"published" : "2023-10-14T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "920a5335-bef4-4686-a07d-718fc7d9de06"
}
]
},
{
"bom-ref" : "117dc8f6-7900-45d3-98d8-9eb53e5611e0",
"id" : "CVE-2020-7769",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
88
],
"description" : "This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.",
"published" : "2020-11-12T09:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "8486dc60-6358-4bd1-8d01-21c1a2ec9f9f"
}
]
},
{
"bom-ref" : "e9207049-862f-404b-a5ec-f4e35723a7a9",
"id" : "CVE-2021-23400",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
74
],
"description" : "The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.",
"published" : "2021-06-29T12:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "8486dc60-6358-4bd1-8d01-21c1a2ec9f9f"
}
]
},
{
"bom-ref" : "694866c1-9efb-43db-bcb5-6d9ba4bc6be8",
"id" : "CVE-2019-16775",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "c62c320c-b467-44e2-b206-400437a77412"
}
]
},
{
"bom-ref" : "aad29bc8-91e5-4042-917d-001c029c7e87",
"id" : "CVE-2019-16776",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"cwes" : [
22
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "c62c320c-b467-44e2-b206-400437a77412"
}
]
},
{
"bom-ref" : "694866c1-9efb-43db-bcb5-6d9ba4bc6be8",
"id" : "CVE-2019-16775",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "5dc7b78e-d0ae-4d3d-a33e-3deef9dda63d"
}
]
},
{
"bom-ref" : "aad29bc8-91e5-4042-917d-001c029c7e87",
"id" : "CVE-2019-16776",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"cwes" : [
22
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "5dc7b78e-d0ae-4d3d-a33e-3deef9dda63d"
}
]
},
{
"bom-ref" : "2921b602-67ec-46e1-abec-7c3b11c5abbe",
"id" : "CVE-2021-23434",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.6,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
}
],
"cwes" : [
843
],
"description" : "This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.",
"published" : "2021-08-27T17:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "2a903d51-a32c-4df2-8d7b-c66def5f9794"
}
]
},
{
"bom-ref" : "37b30a47-9e19-4ddf-929f-39db2dc4b8a5",
"id" : "CVE-2024-45296",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.",
"published" : "2024-09-09T19:15:00Z",
"updated" : "2025-01-24T20:15:00Z",
"affects" : [
{
"ref" : "ae8c1178-71f3-4880-85bb-a0d87120f48e"
}
]
},
{
"bom-ref" : "265188df-1c1c-48cf-866c-e221b8ff48db",
"id" : "CVE-2017-1000048",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
20
],
"description" : "the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.",
"published" : "2017-07-17T13:18:00Z",
"updated" : "2024-11-21T03:04:00Z",
"affects" : [
{
"ref" : "8ad28874-5a60-4421-b2ca-5a96fe028be7"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "8ad28874-5a60-4421-b2ca-5a96fe028be7"
}
]
},
{
"bom-ref" : "265188df-1c1c-48cf-866c-e221b8ff48db",
"id" : "CVE-2017-1000048",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
20
],
"description" : "the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.",
"published" : "2017-07-17T13:18:00Z",
"updated" : "2024-11-21T03:04:00Z",
"affects" : [
{
"ref" : "fdee68e7-8c5a-41be-b27b-b45e376d66e6"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "fdee68e7-8c5a-41be-b27b-b45e376d66e6"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "dfdceb87-fff4-449f-922c-c043b7242140"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "a6ca8567-d0d4-4285-9487-0cf8956d683f"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "a4bd6afd-7b45-4297-86ac-63a267818456"
}
]
},
{
"bom-ref" : "8f39df36-bc63-4820-9789-7f2b20b7030c",
"id" : "CVE-2022-25883",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"published" : "2023-06-21T05:15:00Z",
"updated" : "2024-12-06T17:15:00Z",
"affects" : [
{
"ref" : "207e3655-90d6-4936-bf5f-81a88bda4f9c"
}
]
},
{
"bom-ref" : "8f39df36-bc63-4820-9789-7f2b20b7030c",
"id" : "CVE-2022-25883",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"published" : "2023-06-21T05:15:00Z",
"updated" : "2024-12-06T17:15:00Z",
"affects" : [
{
"ref" : "36528fb7-2708-4ba6-953e-c1b475f35b20"
}
]
},
{
"bom-ref" : "8f39df36-bc63-4820-9789-7f2b20b7030c",
"id" : "CVE-2022-25883",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"published" : "2023-06-21T05:15:00Z",
"updated" : "2024-12-06T17:15:00Z",
"affects" : [
{
"ref" : "53ee9da7-cd2b-48fa-8ef1-a29b7a51edcf"
}
]
},
{
"bom-ref" : "8f39df36-bc63-4820-9789-7f2b20b7030c",
"id" : "CVE-2022-25883",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"published" : "2023-06-21T05:15:00Z",
"updated" : "2024-12-06T17:15:00Z",
"affects" : [
{
"ref" : "2b4d9664-d3f2-4d71-8967-80b4fdfc8f2c"
}
]
},
{
"bom-ref" : "9e0913e6-22ca-4fe7-a3bd-6ed5596c5b51",
"id" : "CVE-2023-26136",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.",
"published" : "2023-07-01T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "097d34e8-24f2-439b-9213-3262ccadfe7c"
}
]
},
{
"bom-ref" : "6af5baad-fc95-47e1-8d44-c8a91a41a41a",
"id" : "CVE-2016-1000232",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"cwes" : [
20
],
"description" : "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.",
"published" : "2018-09-05T17:29:00Z",
"updated" : "2024-11-21T02:43:00Z",
"affects" : [
{
"ref" : "097d34e8-24f2-439b-9213-3262ccadfe7c"
}
]
},
{
"bom-ref" : "5dfa57bd-46f8-4f2c-8b25-2f476229883e",
"id" : "CVE-2017-15010",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.",
"published" : "2017-10-04T01:29:00Z",
"updated" : "2024-11-21T03:13:00Z",
"affects" : [
{
"ref" : "097d34e8-24f2-439b-9213-3262ccadfe7c"
}
]
},
{
"bom-ref" : "caf65445-c1d0-4194-afc1-21e8b353be8c",
"id" : "CVE-2021-23358",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.2,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
94
],
"description" : "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.",
"published" : "2021-03-29T14:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "47789ea2-4a8c-4c5a-a9cc-c03ad728f16f"
}
]
},
{
"bom-ref" : "16dbc9e8-482a-4a1a-a143-32ffcb1938df",
"id" : "CVE-2021-21366",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
],
"description" : "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
"published" : "2021-03-12T17:15:00Z",
"updated" : "2024-11-21T05:48:00Z",
"affects" : [
{
"ref" : "db40e382-7903-4a4b-a064-593807b144ba"
}
]
},
{
"bom-ref" : "3009a241-1718-453b-9336-2a509103536b",
"id" : "CVE-2021-32796",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"cwes" : [
116,
91
],
"description" : "xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
"published" : "2021-07-27T22:15:00Z",
"updated" : "2024-11-21T06:07:00Z",
"affects" : [
{
"ref" : "db40e382-7903-4a4b-a064-593807b144ba"
}
]
},
{
"bom-ref" : "f8f7b6f1-354f-4f59-b123-ad986ddd3dfe",
"id" : "CVE-2022-37616",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states \"we are in the process of marking this report as invalid\"; however, some third parties takes the position that \"A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted.\"",
"published" : "2022-10-11T05:15:00Z",
"updated" : "2024-11-21T07:15:00Z",
"affects" : [
{
"ref" : "db40e382-7903-4a4b-a064-593807b144ba"
}
]
},
{
"bom-ref" : "843521c9-0818-4a19-abd9-e8c3cc0aafad",
"id" : "CVE-2022-39353",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description" : "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.",
"published" : "2022-11-02T17:15:00Z",
"updated" : "2024-11-21T07:18:00Z",
"affects" : [
{
"ref" : "db40e382-7903-4a4b-a064-593807b144ba"
}
]
},
{
"bom-ref" : "b5d5474a-d6f6-4f7e-9157-2204761fa0d0",
"id" : "CVE-2021-31597",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.4,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
}
],
"cwes" : [
295
],
"description" : "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.",
"published" : "2021-04-23T00:15:00Z",
"updated" : "2024-11-21T06:05:00Z",
"affects" : [
{
"ref" : "566b7717-3790-49a2-9e82-8699e12771d1"
}
]
},
{
"bom-ref" : "98766624-8c9b-4563-8a12-496f983e5426",
"id" : "CVE-2020-7774",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.",
"published" : "2020-11-17T13:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "4d7b1364-fda8-4ae2-a857-8c1005a47f8d"
}
]
},
{
"bom-ref" : "e1f85a20-255c-41dc-8ab7-ad78dc82ee18",
"id" : "CVE-2021-32803",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
],
"cwes" : [
59
],
"description" : "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
"published" : "2021-08-03T19:15:00Z",
"updated" : "2024-11-21T06:07:00Z",
"affects" : [
{
"ref" : "697f3f30-1e4c-40cb-9dae-ddc902bc3265"
}
]
},
{
"bom-ref" : "a3f4c62a-3a25-43ea-a7e5-b58d197990f7",
"id" : "CVE-2021-32804",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
],
"description" : "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
"published" : "2021-08-03T19:15:00Z",
"updated" : "2024-11-21T06:07:00Z",
"affects" : [
{
"ref" : "697f3f30-1e4c-40cb-9dae-ddc902bc3265"
}
]
},
{
"bom-ref" : "a800acd5-8f30-487e-8f47-81d41482870d",
"id" : "CVE-2021-37701",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:L/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.6,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
}
],
"description" : "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.",
"published" : "2021-08-31T17:15:00Z",
"updated" : "2024-11-21T06:15:00Z",
"affects" : [
{
"ref" : "697f3f30-1e4c-40cb-9dae-ddc902bc3265"
}
]
},
{
"bom-ref" : "a87e2fa7-e3c7-41f8-b2f7-9e8b7a7c8caa",
"id" : "CVE-2024-28863",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",
"published" : "2024-03-21T23:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "697f3f30-1e4c-40cb-9dae-ddc902bc3265"
}
]
},
{
"bom-ref" : "5b4fc945-1a0f-43af-accb-d8e16c91abf6",
"id" : "CVE-2020-7743",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
}
],
"cwes" : [
1321
],
"description" : "The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.",
"published" : "2020-10-13T10:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "5d84ed98-68f2-436f-9a7c-331f7e929718"
}
]
},
{
"bom-ref" : "b407c804-abe4-4ef2-b3a0-52a3d2edc5c0",
"id" : "CVE-2024-43799",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
79
],
"description" : "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.",
"published" : "2024-09-10T15:15:00Z",
"updated" : "2024-09-20T16:57:00Z",
"affects" : [
{
"ref" : "5bf47987-7e55-4924-a5dd-d77c272a3cd7"
}
]
},
{
"bom-ref" : "fe7eb43c-815f-47fc-9760-46154d4735ee",
"id" : "CVE-2021-43138",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
"published" : "2022-04-06T17:15:00Z",
"updated" : "2024-11-21T06:28:00Z",
"affects" : [
{
"ref" : "e93b9b00-289f-43f0-84e0-70707ede82c5"
}
]
},
{
"bom-ref" : "15021485-3fde-4f44-abad-711f66be91b5",
"id" : "CVE-2024-39249",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.",
"published" : "2024-07-01T20:15:00Z",
"updated" : "2024-11-21T09:27:00Z",
"affects" : [
{
"ref" : "e93b9b00-289f-43f0-84e0-70707ede82c5"
}
]
},
{
"bom-ref" : "fe7eb43c-815f-47fc-9760-46154d4735ee",
"id" : "CVE-2021-43138",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
"published" : "2022-04-06T17:15:00Z",
"updated" : "2024-11-21T06:28:00Z",
"affects" : [
{
"ref" : "01b41eab-13c4-4f1c-9358-9b9449778b91"
}
]
},
{
"bom-ref" : "15021485-3fde-4f44-abad-711f66be91b5",
"id" : "CVE-2024-39249",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.",
"published" : "2024-07-01T20:15:00Z",
"updated" : "2024-11-21T09:27:00Z",
"affects" : [
{
"ref" : "01b41eab-13c4-4f1c-9358-9b9449778b91"
}
]
},
{
"bom-ref" : "4feecca6-8fa7-4467-950c-3fdf4aa358b6",
"id" : "CVE-2022-24434",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
"published" : "2022-05-20T20:15:00Z",
"updated" : "2024-11-21T06:50:00Z",
"affects" : [
{
"ref" : "5984a3ae-27b4-40bc-9005-f9dc230ea2f4"
}
]
},
{
"bom-ref" : "694866c1-9efb-43db-bcb5-6d9ba4bc6be8",
"id" : "CVE-2019-16775",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "faa83360-d436-4ec7-96ab-acfbe6fd0ae7"
}
]
},
{
"bom-ref" : "aad29bc8-91e5-4042-917d-001c029c7e87",
"id" : "CVE-2019-16776",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"cwes" : [
22
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "faa83360-d436-4ec7-96ab-acfbe6fd0ae7"
}
]
},
{
"bom-ref" : "1dcabf3c-86c6-4049-881a-293bd766dbee",
"id" : "CVE-2021-32640",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"cwes" : [
400
],
"description" : "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.",
"published" : "2021-05-25T19:15:00Z",
"updated" : "2024-11-21T06:07:00Z",
"affects" : [
{
"ref" : "5cb9cc8a-8025-4f14-a30f-36ad119c47e4"
}
]
},
{
"bom-ref" : "d3550126-cd9b-4bcd-b4a3-3d05c53df72b",
"id" : "CVE-2024-37890",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.",
"published" : "2024-06-17T20:15:00Z",
"updated" : "2024-11-21T09:24:00Z",
"affects" : [
{
"ref" : "5cb9cc8a-8025-4f14-a30f-36ad119c47e4"
}
]
},
{
"bom-ref" : "31943502-69a2-4afb-985f-d8abec2f3e11",
"id" : "CVE-2020-15366",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.6,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes" : [
1321
],
"description" : "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)",
"published" : "2020-07-15T20:15:00Z",
"updated" : "2024-11-21T05:05:00Z",
"affects" : [
{
"ref" : "35f50dfa-02fa-4bac-a09b-df329dc5131b"
}
]
},
{
"bom-ref" : "847ab0c8-c063-4328-8207-14e06b5113b7",
"id" : "CVE-2024-38355",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.",
"published" : "2024-06-19T20:15:00Z",
"updated" : "2024-11-21T09:25:00Z",
"affects" : [
{
"ref" : "98c978ad-e3c5-4245-8821-2439c6367668"
}
]
},
{
"bom-ref" : "12a29a10-e1eb-489c-b98f-c26900894003",
"id" : "CVE-2020-26256",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 3.5,
"severity" : "low",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:S/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.",
"published" : "2020-12-08T22:15:00Z",
"updated" : "2024-11-21T05:19:00Z",
"affects" : [
{
"ref" : "468c7e25-dc57-4054-90fa-b82a40265a80"
}
]
},
{
"bom-ref" : "6b3e2893-841a-4671-866e-448d4875bbc4",
"id" : "CVE-2020-8244",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
}
],
"cwes" : [
125
],
"description" : "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.",
"published" : "2020-08-30T15:15:00Z",
"updated" : "2024-11-21T05:38:00Z",
"affects" : [
{
"ref" : "990a45d3-28b9-46bd-a21c-d40ee732d554"
}
]
},
{
"bom-ref" : "4feecca6-8fa7-4467-950c-3fdf4aa358b6",
"id" : "CVE-2022-24434",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
"published" : "2022-05-20T20:15:00Z",
"updated" : "2024-11-21T06:50:00Z",
"affects" : [
{
"ref" : "5547b27c-23dd-46c0-ad6b-53d1fd31cf2f"
}
]
},
{
"bom-ref" : "37b09e82-3d1c-4c39-9567-c7542fe344fd",
"id" : "CVE-2021-32012",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).",
"published" : "2021-07-19T14:15:00Z",
"updated" : "2024-11-21T06:06:00Z",
"affects" : [
{
"ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18"
}
]
},
{
"bom-ref" : "e21fdb38-460e-4fd5-92b5-2c32f7e3a939",
"id" : "CVE-2021-32013",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).",
"published" : "2021-07-19T14:15:00Z",
"updated" : "2024-11-21T06:06:00Z",
"affects" : [
{
"ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18"
}
]
},
{
"bom-ref" : "20f4f2d4-fad4-4ff1-bac2-2fde3949c211",
"id" : "CVE-2021-32014",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.",
"published" : "2021-07-19T14:15:00Z",
"updated" : "2024-11-21T06:06:00Z",
"affects" : [
{
"ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18"
}
]
},
{
"bom-ref" : "2684f85d-cd3e-4ca3-8efe-9bfadcab2b6f",
"id" : "CVE-2023-30533",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.",
"published" : "2023-04-24T08:15:00Z",
"updated" : "2025-02-04T20:15:00Z",
"affects" : [
{
"ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18"
}
]
},
{
"bom-ref" : "e25897d8-1d7f-4281-a98f-b0d4158adbb6",
"id" : "CVE-2024-22363",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).",
"published" : "2024-04-05T06:15:00Z",
"updated" : "2024-11-21T08:56:00Z",
"affects" : [
{
"ref" : "ddc3334b-383d-48f4-8ef5-c5c9d0b32f18"
}
]
},
{
"bom-ref" : "4feecca6-8fa7-4467-950c-3fdf4aa358b6",
"id" : "CVE-2022-24434",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
"published" : "2022-05-20T20:15:00Z",
"updated" : "2024-11-21T06:50:00Z",
"affects" : [
{
"ref" : "d2e6aafe-6a00-4754-951d-fe31888ceae3"
}
]
},
{
"bom-ref" : "458d1725-9cb0-40f2-9160-2208fbc8663e",
"id" : "CVE-2022-25896",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.8,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.8,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"cwes" : [
384
],
"description" : "This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.",
"published" : "2022-07-01T20:15:00Z",
"updated" : "2024-11-21T06:53:00Z",
"affects" : [
{
"ref" : "d176f69d-0d09-4876-b997-f7396ac890f2"
}
]
},
{
"bom-ref" : "3685e165-ad29-4719-9bf8-8acbcfc7cffd",
"id" : "CVE-2020-28469",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.",
"published" : "2021-06-03T16:15:00Z",
"updated" : "2024-11-21T05:22:00Z",
"affects" : [
{
"ref" : "4485e2f2-ea93-4efc-bdc1-419bc94d4822"
}
]
},
{
"bom-ref" : "b93946b6-5370-4ba8-bc80-59d83efea3a6",
"id" : "CVE-2020-28472",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description" : "This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.",
"published" : "2021-01-19T11:15:00Z",
"updated" : "2024-11-21T05:22:00Z",
"affects" : [
{
"ref" : "3639fbbf-c0c2-41fd-a18c-3c23641689eb"
}
]
},
{
"bom-ref" : "f73bb8dc-f4fe-46f4-b659-6cf1617823db",
"id" : "CVE-2023-26920",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"cwes" : [
1321
],
"description" : "fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution.",
"published" : "2023-12-12T17:15:00Z",
"updated" : "2024-11-21T07:52:00Z",
"affects" : [
{
"ref" : "721d52fd-7d66-441f-a6c2-5e07d72a899d"
}
]
},
{
"bom-ref" : "56e4be44-fc67-454f-83c0-9cd830d2cbea",
"id" : "CVE-2019-14939",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 2.1,
"severity" : "low",
"method" : "CVSSv2",
"vector" : "(AV:L/AC:L/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"description" : "An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default.",
"published" : "2019-08-12T01:15:00Z",
"updated" : "2024-11-21T04:27:00Z",
"affects" : [
{
"ref" : "59f05901-82e5-42b4-8c5b-a0437c6bbd1c"
}
]
},
{
"bom-ref" : "846e1027-eb76-488d-afe1-4c42b2ea281f",
"id" : "CVE-2024-43800",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
79
],
"description" : "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.",
"published" : "2024-09-10T15:15:00Z",
"updated" : "2024-09-20T17:36:00Z",
"affects" : [
{
"ref" : "269c2ef7-825c-4be4-95ed-9bd83b18c86f"
}
]
},
{
"bom-ref" : "69289efe-23ce-4c27-9097-be682173412e",
"id" : "CVE-2021-29469",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1.",
"published" : "2021-04-23T18:15:00Z",
"updated" : "2024-11-21T06:01:00Z",
"affects" : [
{
"ref" : "f7c6d07a-aeae-46ef-9f7f-0fa7c0622b0d"
}
]
},
{
"bom-ref" : "b7bccfbf-78c9-490f-9dfd-db66694b834c",
"id" : "CVE-2020-36048",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.",
"published" : "2021-01-08T00:15:00Z",
"updated" : "2024-11-21T05:28:00Z",
"affects" : [
{
"ref" : "c89ebebb-8df0-4151-be02-3de585e1634b"
}
]
},
{
"bom-ref" : "6f55fd86-9d87-4e9a-a8ed-aebd2b9594ca",
"id" : "CVE-2022-41940",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.",
"published" : "2022-11-22T01:15:00Z",
"updated" : "2024-11-21T07:24:00Z",
"affects" : [
{
"ref" : "c89ebebb-8df0-4151-be02-3de585e1634b"
}
]
},
{
"bom-ref" : "3cbb569d-8512-4f6a-8aae-0e8e1b2244a4",
"id" : "CVE-2024-21538",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.",
"published" : "2024-11-08T05:15:00Z",
"updated" : "2024-11-19T14:15:00Z",
"affects" : [
{
"ref" : "17344285-4458-42a8-9729-9a566a370ef9"
}
]
},
{
"bom-ref" : "caf7733d-11a3-4ad0-b8fa-569d6e5a6985",
"id" : "CVE-2022-23539",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"description" : "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.",
"published" : "2022-12-23T00:15:00Z",
"updated" : "2024-11-21T06:48:00Z",
"affects" : [
{
"ref" : "c9af1ba1-df0f-40f3-8c0a-26076671c9be"
}
]
},
{
"bom-ref" : "d9bac097-91aa-4990-98ae-245b7443ec29",
"id" : "CVE-2022-23540",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.6,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L"
}
],
"cwes" : [
347
],
"description" : "In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.",
"published" : "2022-12-22T19:15:00Z",
"updated" : "2025-02-13T17:15:00Z",
"affects" : [
{
"ref" : "c9af1ba1-df0f-40f3-8c0a-26076671c9be"
}
]
},
{
"bom-ref" : "d22d5689-956c-47eb-ab4e-649fff4ddba1",
"id" : "CVE-2022-23541",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
}
],
"description" : "jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.",
"published" : "2022-12-22T18:15:00Z",
"updated" : "2024-11-21T06:48:00Z",
"affects" : [
{
"ref" : "c9af1ba1-df0f-40f3-8c0a-26076671c9be"
}
]
},
{
"bom-ref" : "fc538d70-2ff0-401c-b76e-96c4502bc54f",
"id" : "CVE-2021-3803",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "nth-check is vulnerable to Inefficient Regular Expression Complexity",
"published" : "2021-09-17T07:15:00Z",
"updated" : "2024-11-21T06:22:00Z",
"affects" : [
{
"ref" : "18fef13c-0bb9-4f1e-8ee2-3a51c2a2ed04"
}
]
},
{
"bom-ref" : "1dcabf3c-86c6-4049-881a-293bd766dbee",
"id" : "CVE-2021-32640",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"cwes" : [
400
],
"description" : "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.",
"published" : "2021-05-25T19:15:00Z",
"updated" : "2024-11-21T06:07:00Z",
"affects" : [
{
"ref" : "b8a52534-2c3d-4c14-b36f-1889febb5035"
}
]
},
{
"bom-ref" : "d3550126-cd9b-4bcd-b4a3-3d05c53df72b",
"id" : "CVE-2024-37890",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.",
"published" : "2024-06-17T20:15:00Z",
"updated" : "2024-11-21T09:24:00Z",
"affects" : [
{
"ref" : "b8a52534-2c3d-4c14-b36f-1889febb5035"
}
]
},
{
"bom-ref" : "6b3e2893-841a-4671-866e-448d4875bbc4",
"id" : "CVE-2020-8244",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
}
],
"cwes" : [
125
],
"description" : "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.",
"published" : "2020-08-30T15:15:00Z",
"updated" : "2024-11-21T05:38:00Z",
"affects" : [
{
"ref" : "6a8c0a4b-4670-44a8-989c-462681967fc8"
}
]
},
{
"bom-ref" : "e71878da-9f35-46fb-be81-d972be50b54f",
"id" : "CVE-2024-45590",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.",
"published" : "2024-09-10T16:15:00Z",
"updated" : "2024-09-20T16:26:00Z",
"affects" : [
{
"ref" : "9586c461-43ec-4490-a81d-0dddbb7c7499"
}
]
},
{
"bom-ref" : "37b09e82-3d1c-4c39-9567-c7542fe344fd",
"id" : "CVE-2021-32012",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).",
"published" : "2021-07-19T14:15:00Z",
"updated" : "2024-11-21T06:06:00Z",
"affects" : [
{
"ref" : "499877c3-1177-4d82-958a-9f88525e8301"
}
]
},
{
"bom-ref" : "e21fdb38-460e-4fd5-92b5-2c32f7e3a939",
"id" : "CVE-2021-32013",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).",
"published" : "2021-07-19T14:15:00Z",
"updated" : "2024-11-21T06:06:00Z",
"affects" : [
{
"ref" : "499877c3-1177-4d82-958a-9f88525e8301"
}
]
},
{
"bom-ref" : "20f4f2d4-fad4-4ff1-bac2-2fde3949c211",
"id" : "CVE-2021-32014",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.",
"published" : "2021-07-19T14:15:00Z",
"updated" : "2024-11-21T06:06:00Z",
"affects" : [
{
"ref" : "499877c3-1177-4d82-958a-9f88525e8301"
}
]
},
{
"bom-ref" : "2684f85d-cd3e-4ca3-8efe-9bfadcab2b6f",
"id" : "CVE-2023-30533",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.",
"published" : "2023-04-24T08:15:00Z",
"updated" : "2025-02-04T20:15:00Z",
"affects" : [
{
"ref" : "499877c3-1177-4d82-958a-9f88525e8301"
}
]
},
{
"bom-ref" : "e25897d8-1d7f-4281-a98f-b0d4158adbb6",
"id" : "CVE-2024-22363",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).",
"published" : "2024-04-05T06:15:00Z",
"updated" : "2024-11-21T08:56:00Z",
"affects" : [
{
"ref" : "499877c3-1177-4d82-958a-9f88525e8301"
}
]
},
{
"bom-ref" : "efac818f-e157-4a22-a31a-1d3df41d9285",
"id" : "CVE-2023-0842",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"cwes" : [
1321
],
"description" : "xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.",
"published" : "2023-04-05T20:15:00Z",
"updated" : "2025-02-13T20:15:00Z",
"affects" : [
{
"ref" : "c73d0e9a-304a-423d-81c9-d21b60bcb632"
}
]
},
{
"bom-ref" : "189cbcbe-26ed-462a-bc1d-1221ee16b1b3",
"id" : "CVE-2024-4068",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.",
"published" : "2024-05-14T15:42:00Z",
"updated" : "2024-11-21T09:42:00Z",
"affects" : [
{
"ref" : "8a9283a4-5f05-4547-8407-ef17659677b4"
}
]
},
{
"bom-ref" : "6b3e2893-841a-4671-866e-448d4875bbc4",
"id" : "CVE-2020-8244",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
}
],
"cwes" : [
125
],
"description" : "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.",
"published" : "2020-08-30T15:15:00Z",
"updated" : "2024-11-21T05:38:00Z",
"affects" : [
{
"ref" : "85ba9331-70b9-4a3b-9c14-fcc20c4623c6"
}
]
},
{
"bom-ref" : "3bdc1f15-8d57-45aa-9bb7-46d088e72e0e",
"id" : "CVE-2020-7768",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.",
"published" : "2020-11-11T11:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "9ff407ea-7c4f-4999-97fa-d196ad26b16a"
}
]
},
{
"bom-ref" : "e413a78d-da02-4595-b7c3-2404f0f87215",
"id" : "CVE-2024-37168",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.",
"published" : "2024-06-10T22:15:00Z",
"updated" : "2024-11-21T09:23:00Z",
"affects" : [
{
"ref" : "9ff407ea-7c4f-4999-97fa-d196ad26b16a"
}
]
},
{
"bom-ref" : "96115082-ad17-4fbb-93cb-92cd128b6f7f",
"id" : "CVE-2023-25345",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"cwes" : [
22
],
"description" : "Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.",
"published" : "2023-03-15T20:15:00Z",
"updated" : "2025-02-27T19:15:00Z",
"affects" : [
{
"ref" : "f7814813-2e9e-4f6c-8326-338adbef15c7"
}
]
},
{
"bom-ref" : "115bb632-9607-4316-843a-17fa2b821b5a",
"id" : "CVE-2023-28155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
918
],
"description" : "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"published" : "2023-03-16T15:15:00Z",
"updated" : "2024-11-21T07:54:00Z",
"affects" : [
{
"ref" : "38db9b17-508f-461e-b796-8480dee920b8"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "7ff6cea8-e853-4bfe-afca-48048a31e065"
}
]
},
{
"bom-ref" : "39e642b0-2514-4355-aca7-e2460d418088",
"id" : "CVE-2024-10491",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.",
"published" : "2024-10-29T17:15:00Z",
"updated" : "2024-11-06T23:08:00Z",
"affects" : [
{
"ref" : "7ff6cea8-e853-4bfe-afca-48048a31e065"
}
]
},
{
"bom-ref" : "f1342efe-387c-494b-a950-a2d40e828445",
"id" : "CVE-2024-29041",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.",
"published" : "2024-03-25T21:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "7ff6cea8-e853-4bfe-afca-48048a31e065"
}
]
},
{
"bom-ref" : "78ed88ed-ad4a-4234-9447-01768bc7894e",
"id" : "CVE-2024-43796",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
79
],
"description" : "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.",
"published" : "2024-09-10T15:15:00Z",
"updated" : "2024-09-20T16:07:00Z",
"affects" : [
{
"ref" : "7ff6cea8-e853-4bfe-afca-48048a31e065"
}
]
},
{
"bom-ref" : "0415a87a-0e22-4873-8073-6505e80866f3",
"id" : "CVE-2022-0155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
}
],
"description" : "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",
"published" : "2022-01-10T20:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "216d9a98-0552-4433-b4e0-b082582b9e36"
}
]
},
{
"bom-ref" : "56b11ae7-fc1a-4bd1-af82-50a43fbe5649",
"id" : "CVE-2022-0536",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.9,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description" : "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.",
"published" : "2022-02-09T11:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "216d9a98-0552-4433-b4e0-b082582b9e36"
}
]
},
{
"bom-ref" : "d76550cf-cbad-404d-a2dd-211d0280ccb7",
"id" : "CVE-2023-26159",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
601
],
"description" : "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",
"published" : "2024-01-02T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "216d9a98-0552-4433-b4e0-b082582b9e36"
}
]
},
{
"bom-ref" : "42b16e9c-680e-4555-a803-2c4d5664115a",
"id" : "CVE-2024-28849",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"published" : "2024-03-14T17:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "216d9a98-0552-4433-b4e0-b082582b9e36"
}
]
},
{
"bom-ref" : "b407c804-abe4-4ef2-b3a0-52a3d2edc5c0",
"id" : "CVE-2024-43799",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
79
],
"description" : "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.",
"published" : "2024-09-10T15:15:00Z",
"updated" : "2024-09-20T16:57:00Z",
"affects" : [
{
"ref" : "5126a05d-cbbf-4b48-96aa-8e093caf97d2"
}
]
},
{
"bom-ref" : "c25d1a64-cde0-4906-908b-23ad42ba4f1d",
"id" : "CVE-2020-28168",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.9,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"cwes" : [
918
],
"description" : "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.",
"published" : "2020-11-06T20:15:00Z",
"updated" : "2024-11-21T05:22:00Z",
"affects" : [
{
"ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4"
}
]
},
{
"bom-ref" : "21b2af06-0837-402f-ad77-58b8af151fd2",
"id" : "CVE-2021-3749",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "axios is vulnerable to Inefficient Regular Expression Complexity",
"published" : "2021-08-31T11:15:00Z",
"updated" : "2024-11-21T06:22:00Z",
"affects" : [
{
"ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4"
}
]
},
{
"bom-ref" : "3d8d249b-6c9f-44ba-9301-6e66e294bd1e",
"id" : "CVE-2023-45857",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
}
],
"cwes" : [
352
],
"description" : "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.",
"published" : "2023-11-08T21:15:00Z",
"updated" : "2024-11-21T08:27:00Z",
"affects" : [
{
"ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4"
}
]
},
{
"bom-ref" : "de78ddf3-405e-4e6c-811a-e0e21ff38e36",
"id" : "CVE-2025-27152",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ?baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.",
"published" : "2025-03-07T16:15:00Z",
"updated" : "2025-03-07T20:15:00Z",
"affects" : [
{
"ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4"
}
]
},
{
"bom-ref" : "e1054e23-c837-4f07-a125-87605fdc4d9a",
"id" : "CVE-2019-10742",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
755
],
"description" : "Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.",
"published" : "2019-05-07T19:29:00Z",
"updated" : "2024-11-21T04:19:00Z",
"affects" : [
{
"ref" : "f7baeba9-2f33-422f-97fe-d2c4c57fefa4"
}
]
},
{
"bom-ref" : "4676a4fd-fdee-4f66-afa6-27e9f70ec107",
"id" : "CVE-2025-27789",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"cwes" : [
1333
],
"description" : "Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.",
"published" : "2025-03-11T20:15:00Z",
"updated" : "2025-03-11T20:15:00Z",
"affects" : [
{
"ref" : "d63dd4c3-8e88-424e-92df-df43de60da9d"
}
]
},
{
"bom-ref" : "846e1027-eb76-488d-afe1-4c42b2ea281f",
"id" : "CVE-2024-43800",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
79
],
"description" : "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.",
"published" : "2024-09-10T15:15:00Z",
"updated" : "2024-09-20T17:36:00Z",
"affects" : [
{
"ref" : "80dfdb64-9bcd-46d3-94e8-37daa10746fe"
}
]
},
{
"bom-ref" : "f21a70e5-2433-4889-852a-ddb15f2d542f",
"id" : "CVE-2020-26301",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 10.0,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cwes" : [
78
],
"description" : "ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.",
"published" : "2021-09-20T20:15:00Z",
"updated" : "2024-11-21T05:19:00Z",
"affects" : [
{
"ref" : "5d76ca9c-2c7f-4614-abc1-8c51bb3ae408"
}
]
},
{
"bom-ref" : "21ec666d-416f-41c7-9a57-7418df6903b8",
"id" : "CVE-2023-48795",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.9,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"cwes" : [
354
],
"description" : "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"published" : "2023-12-18T16:15:00Z",
"updated" : "2024-12-02T14:54:00Z",
"affects" : [
{
"ref" : "5d76ca9c-2c7f-4614-abc1-8c51bb3ae408"
}
]
},
{
"bom-ref" : "694866c1-9efb-43db-bcb5-6d9ba4bc6be8",
"id" : "CVE-2019-16775",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "d66c0398-c266-4ed5-a185-ce94c8e5c9f7"
}
]
},
{
"bom-ref" : "aad29bc8-91e5-4042-917d-001c029c7e87",
"id" : "CVE-2019-16776",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"cwes" : [
22
],
"description" : "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
"published" : "2019-12-13T01:15:00Z",
"updated" : "2024-11-21T04:31:00Z",
"affects" : [
{
"ref" : "d66c0398-c266-4ed5-a185-ce94c8e5c9f7"
}
]
},
{
"bom-ref" : "e7b0524d-008b-41c0-a43f-e02d1b7003f9",
"id" : "CVE-2022-24999",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1321
],
"description" : "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",
"published" : "2022-11-26T22:15:00Z",
"updated" : "2024-11-21T06:51:00Z",
"affects" : [
{
"ref" : "f1e709d5-1536-4ab0-bdc4-9e241da81f6d"
}
]
},
{
"bom-ref" : "39e642b0-2514-4355-aca7-e2460d418088",
"id" : "CVE-2024-10491",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.",
"published" : "2024-10-29T17:15:00Z",
"updated" : "2024-11-06T23:08:00Z",
"affects" : [
{
"ref" : "f1e709d5-1536-4ab0-bdc4-9e241da81f6d"
}
]
},
{
"bom-ref" : "f1342efe-387c-494b-a950-a2d40e828445",
"id" : "CVE-2024-29041",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.",
"published" : "2024-03-25T21:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "f1e709d5-1536-4ab0-bdc4-9e241da81f6d"
}
]
},
{
"bom-ref" : "78ed88ed-ad4a-4234-9447-01768bc7894e",
"id" : "CVE-2024-43796",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
79
],
"description" : "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.",
"published" : "2024-09-10T15:15:00Z",
"updated" : "2024-09-20T16:07:00Z",
"affects" : [
{
"ref" : "f1e709d5-1536-4ab0-bdc4-9e241da81f6d"
}
]
},
{
"bom-ref" : "898b7c19-fb27-4c9e-a711-61ffe92eff45",
"id" : "CVE-2022-29167",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.",
"published" : "2022-05-05T23:15:00Z",
"updated" : "2024-11-21T06:58:00Z",
"affects" : [
{
"ref" : "1153e29b-f8d8-45d8-be59-2df7af178c56"
}
]
},
{
"bom-ref" : "3566ac44-95df-4445-a799-bd1c179ec49a",
"id" : "CVE-2016-2515",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
399
],
"description" : "Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.",
"published" : "2016-04-13T16:59:00Z",
"updated" : "2024-11-21T02:48:00Z",
"affects" : [
{
"ref" : "1153e29b-f8d8-45d8-be59-2df7af178c56"
}
]
},
{
"bom-ref" : "fea0ee5e-9e62-4789-862a-137f9e1acae2",
"id" : "CVE-2015-8858",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
399
],
"description" : "The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a \"regular expression denial of service (ReDoS).\"",
"published" : "2017-01-23T21:59:00Z",
"updated" : "2024-11-21T02:39:00Z",
"affects" : [
{
"ref" : "824174bd-5b3e-4a04-90d9-5b30cfaa216a"
}
]
},
{
"bom-ref" : "e71878da-9f35-46fb-be81-d972be50b54f",
"id" : "CVE-2024-45590",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.",
"published" : "2024-09-10T16:15:00Z",
"updated" : "2024-09-20T16:26:00Z",
"affects" : [
{
"ref" : "98d3b6dc-0939-4142-b273-f473cd8598f8"
}
]
},
{
"bom-ref" : "d97cf4ed-d5c9-4fc7-b6db-5b2c591fb1ab",
"id" : "CVE-2020-7608",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.6,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:L/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes" : [
1321
],
"description" : "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a \"__proto__\" payload.",
"published" : "2020-03-16T20:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "73cddb53-1340-4eb4-9f46-b73dd49256d9"
}
]
},
{
"bom-ref" : "4feecca6-8fa7-4467-950c-3fdf4aa358b6",
"id" : "CVE-2022-24434",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
"published" : "2022-05-20T20:15:00Z",
"updated" : "2024-11-21T06:50:00Z",
"affects" : [
{
"ref" : "2c38df3c-c0c2-4e77-b79f-b2385862c1b9"
}
]
},
{
"bom-ref" : "5616e7a7-baa7-4708-a0ee-5147dc721fc8",
"id" : "CVE-2021-27515",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path.",
"published" : "2021-02-22T00:15:00Z",
"updated" : "2024-11-21T05:58:00Z",
"affects" : [
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8"
}
]
},
{
"bom-ref" : "50b630c7-6e18-4c25-87ed-77e1e33d20f7",
"id" : "CVE-2021-3664",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "url-parse is vulnerable to URL Redirection to Untrusted Site",
"published" : "2021-07-26T12:15:00Z",
"updated" : "2024-11-21T06:22:00Z",
"affects" : [
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8"
}
]
},
{
"bom-ref" : "21a7ad15-635d-4012-8b69-4dc09d6a14f1",
"id" : "CVE-2022-0512",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.",
"published" : "2022-02-14T16:15:00Z",
"updated" : "2024-11-21T06:38:00Z",
"affects" : [
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8"
}
]
},
{
"bom-ref" : "92c5bc29-8576-4671-9884-9e8dd30d5e07",
"id" : "CVE-2022-0639",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description" : "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.",
"published" : "2022-02-17T18:15:00Z",
"updated" : "2024-11-21T06:39:00Z",
"affects" : [
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8"
}
]
},
{
"bom-ref" : "afe29061-7e4d-4be3-92b2-7aa55e18a8ff",
"id" : "CVE-2022-0686",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.1,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
],
"description" : "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.",
"published" : "2022-02-20T13:15:00Z",
"updated" : "2024-11-21T06:39:00Z",
"affects" : [
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8"
}
]
},
{
"bom-ref" : "80396816-4cd6-49de-84fe-399873b7e9c2",
"id" : "CVE-2022-0691",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description" : "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.",
"published" : "2022-02-21T09:15:00Z",
"updated" : "2024-11-21T06:39:00Z",
"affects" : [
{
"ref" : "72f2d929-ad42-45a1-affa-afca91153ce8"
}
]
},
{
"bom-ref" : "a8a14388-de4a-4d1a-9d34-126934156655",
"id" : "CVE-2024-4067",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.",
"published" : "2024-05-14T15:42:00Z",
"updated" : "2024-11-21T09:42:00Z",
"affects" : [
{
"ref" : "def0b242-ba3d-4dd9-832a-2ca0c707c390"
}
]
},
{
"bom-ref" : "898b7c19-fb27-4c9e-a711-61ffe92eff45",
"id" : "CVE-2022-29167",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.",
"published" : "2022-05-05T23:15:00Z",
"updated" : "2024-11-21T06:58:00Z",
"affects" : [
{
"ref" : "33cdd8a5-7055-4042-beb2-67dbf407f701"
}
]
},
{
"bom-ref" : "21b2af06-0837-402f-ad77-58b8af151fd2",
"id" : "CVE-2021-3749",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.8,
"severity" : "high",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "axios is vulnerable to Inefficient Regular Expression Complexity",
"published" : "2021-08-31T11:15:00Z",
"updated" : "2024-11-21T06:22:00Z",
"affects" : [
{
"ref" : "b348190c-7219-4032-bb4f-a7f81f5c8f83"
}
]
},
{
"bom-ref" : "3d8d249b-6c9f-44ba-9301-6e66e294bd1e",
"id" : "CVE-2023-45857",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
}
],
"cwes" : [
352
],
"description" : "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.",
"published" : "2023-11-08T21:15:00Z",
"updated" : "2024-11-21T08:27:00Z",
"affects" : [
{
"ref" : "b348190c-7219-4032-bb4f-a7f81f5c8f83"
}
]
},
{
"bom-ref" : "de78ddf3-405e-4e6c-811a-e0e21ff38e36",
"id" : "CVE-2025-27152",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ?baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.",
"published" : "2025-03-07T16:15:00Z",
"updated" : "2025-03-07T20:15:00Z",
"affects" : [
{
"ref" : "b348190c-7219-4032-bb4f-a7f81f5c8f83"
}
]
},
{
"bom-ref" : "9e0913e6-22ca-4fe7-a3bd-6ed5596c5b51",
"id" : "CVE-2023-26136",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.",
"published" : "2023-07-01T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "9372f464-8134-43ec-b60e-5586e17ea3d2"
}
]
},
{
"bom-ref" : "115bb632-9607-4316-843a-17fa2b821b5a",
"id" : "CVE-2023-28155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
918
],
"description" : "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"published" : "2023-03-16T15:15:00Z",
"updated" : "2024-11-21T07:54:00Z",
"affects" : [
{
"ref" : "cb77213d-08af-4a5d-920f-e12417f24cc1"
}
]
},
{
"bom-ref" : "bc2663bf-c6b0-429d-8caf-cd1d58690830",
"id" : "CVE-2020-36049",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
770
],
"description" : "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.",
"published" : "2021-01-08T00:15:00Z",
"updated" : "2024-11-21T05:28:00Z",
"affects" : [
{
"ref" : "037df6d3-7286-4a55-ba4d-524f3b6d4512"
}
]
},
{
"bom-ref" : "b0b50501-14ea-4d05-90ff-9541c3fa15a8",
"id" : "CVE-2022-2421",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description" : "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.",
"published" : "2022-10-26T10:15:00Z",
"updated" : "2024-11-21T07:00:00Z",
"affects" : [
{
"ref" : "037df6d3-7286-4a55-ba4d-524f3b6d4512"
}
]
},
{
"bom-ref" : "5927a9ae-a2ec-462b-8b08-06b24b7570d1",
"id" : "CVE-2023-32695",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
754
],
"description" : "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.",
"published" : "2023-05-27T16:15:00Z",
"updated" : "2024-11-21T08:03:00Z",
"affects" : [
{
"ref" : "037df6d3-7286-4a55-ba4d-524f3b6d4512"
}
]
},
{
"bom-ref" : "6f09f9fe-ac13-4ce0-a39d-5dc4762f9e61",
"id" : "CVE-2022-25892",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.",
"published" : "2022-11-01T05:15:00Z",
"updated" : "2024-11-21T06:53:00Z",
"affects" : [
{
"ref" : "5e597ba0-c8b6-413f-afbb-ae3705d5d60d"
}
]
},
{
"bom-ref" : "4525dd5b-9215-4dfe-b4a4-9f28be62e135",
"id" : "CVE-2022-39381",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
476
],
"description" : "Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources.",
"published" : "2022-11-02T15:15:00Z",
"updated" : "2024-11-21T07:18:00Z",
"affects" : [
{
"ref" : "5e597ba0-c8b6-413f-afbb-ae3705d5d60d"
}
]
},
{
"bom-ref" : "21688e93-9a9f-40a4-98cb-b87e7f4153e6",
"id" : "CVE-2022-41957",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara.",
"published" : "2022-11-28T15:15:00Z",
"updated" : "2024-11-21T07:24:00Z",
"affects" : [
{
"ref" : "5e597ba0-c8b6-413f-afbb-ae3705d5d60d"
}
]
},
{
"bom-ref" : "3bdc1f15-8d57-45aa-9bb7-46d088e72e0e",
"id" : "CVE-2020-7768",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.",
"published" : "2020-11-11T11:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "915d578f-48aa-4117-baca-6205ed3a04fa"
}
]
},
{
"bom-ref" : "2d79d78c-78e4-421b-856b-b5cc4a09d967",
"id" : "CVE-2023-32732",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"description" : "gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url",
"published" : "2023-06-09T11:15:00Z",
"updated" : "2025-02-13T17:16:00Z",
"affects" : [
{
"ref" : "915d578f-48aa-4117-baca-6205ed3a04fa"
}
]
},
{
"bom-ref" : "9acc6a84-3fd6-46c8-826f-411b5796233e",
"id" : "CVE-2023-33953",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
770,
834
],
"description" : "gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…",
"published" : "2023-08-09T13:15:00Z",
"updated" : "2024-11-21T08:06:00Z",
"affects" : [
{
"ref" : "915d578f-48aa-4117-baca-6205ed3a04fa"
}
]
},
{
"bom-ref" : "d7529345-91d6-4281-8830-2ace76af4154",
"id" : "CVE-2024-7246",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.",
"published" : "2024-08-06T11:16:00Z",
"updated" : "2024-08-06T16:30:00Z",
"affects" : [
{
"ref" : "915d578f-48aa-4117-baca-6205ed3a04fa"
}
]
},
{
"bom-ref" : "6caeabb4-2c0e-4a32-a6b7-f61263143fb6",
"id" : "CVE-2020-26311",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description" : "Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.",
"published" : "2024-10-26T21:15:00Z",
"updated" : "2024-10-30T18:07:00Z",
"affects" : [
{
"ref" : "57e1e6b6-8a26-42cf-a083-2ebfdf84077e"
}
]
},
{
"bom-ref" : "61652ee5-c858-4ecb-82c9-c303c8566c65",
"id" : "CVE-2020-7677",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description" : "This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.",
"published" : "2022-07-25T14:15:00Z",
"updated" : "2024-11-21T05:37:00Z",
"affects" : [
{
"ref" : "3dcbd4cc-2660-4ba9-88c1-607ac9f38358"
}
]
},
{
"bom-ref" : "4086de52-221f-45a6-a02c-e7ffa4bb2c59",
"id" : "CVE-2023-41037",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
],
"description" : "OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a \"Hash: ...\" header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the \"Hash: ...\" texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned `verified` property, discarding the associated `data` information, and instead _visually trusting_ the contents of the original message. Since `verificationResult.data` would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using `getText()` or the `text` field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using `armor()` will also result in a \"sanitised\" version, with the extraneous text being removed. This issue has been addressed in version 5.10.1 (current stable version) which will reject messages when calling `openpgp.readCleartextMessage()` and in version 4.10.11 (legacy version) which will will reject messages when calling `openpgp.cleartext.readArmored()`. Users are advised to upgrade. Users unable to upgrade should check the contents of `verificationResult.data` to see what data was actually signed, rather than visually trusting the contents of the armored message.",
"published" : "2023-08-29T17:15:00Z",
"updated" : "2024-11-21T08:20:00Z",
"affects" : [
{
"ref" : "136a7477-31db-4708-adcb-3def6db29859"
}
]
},
{
"bom-ref" : "dac2e1b1-7b62-496c-8c6a-60e412baf5c0",
"id" : "CVE-2018-3721",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"cwes" : [
1321
],
"description" : "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"published" : "2018-06-07T02:29:00Z",
"updated" : "2024-11-21T04:05:00Z",
"affects" : [
{
"ref" : "31b1fbf8-9dc6-4b78-87d3-a6ed0060370a"
}
]
},
{
"bom-ref" : "a1e2126c-ed14-429f-8186-63e3f79ccb0a",
"id" : "CVE-2019-10744",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.1,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
"published" : "2019-07-26T00:15:00Z",
"updated" : "2024-11-21T04:19:00Z",
"affects" : [
{
"ref" : "31b1fbf8-9dc6-4b78-87d3-a6ed0060370a"
}
]
},
{
"bom-ref" : "85f4753e-6d8a-40dc-9a5c-5b9cadef447f",
"id" : "CVE-2021-23337",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.2,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
94
],
"description" : "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
"published" : "2021-02-15T13:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "31b1fbf8-9dc6-4b78-87d3-a6ed0060370a"
}
]
},
{
"bom-ref" : "8f39df36-bc63-4820-9789-7f2b20b7030c",
"id" : "CVE-2022-25883",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
1333
],
"description" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"published" : "2023-06-21T05:15:00Z",
"updated" : "2024-12-06T17:15:00Z",
"affects" : [
{
"ref" : "b41c5a63-2518-4613-9483-e3dcc34bf8cc"
}
]
},
{
"bom-ref" : "52bd0af5-bf78-49ef-94f5-5b1f8a3b4ebd",
"id" : "CVE-2021-33623",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.5,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes" : [
400
],
"description" : "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.",
"published" : "2021-05-28T18:15:00Z",
"updated" : "2024-11-21T06:09:00Z",
"affects" : [
{
"ref" : "2ca14b92-17e8-4e2c-a23e-27a6bc1199b4"
}
]
},
{
"bom-ref" : "caf65445-c1d0-4194-afc1-21e8b353be8c",
"id" : "CVE-2021-23358",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:S/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.2,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
94
],
"description" : "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.",
"published" : "2021-03-29T14:15:00Z",
"updated" : "2024-11-21T05:51:00Z",
"affects" : [
{
"ref" : "4987d8da-15b6-4ec3-bb4b-1fda9f6af8a4"
}
]
},
{
"bom-ref" : "16dbc9e8-482a-4a1a-a143-32ffcb1938df",
"id" : "CVE-2021-21366",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
],
"description" : "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
"published" : "2021-03-12T17:15:00Z",
"updated" : "2024-11-21T05:48:00Z",
"affects" : [
{
"ref" : "b4c54966-788d-435f-b3cf-3c889d8ad20c"
}
]
},
{
"bom-ref" : "3009a241-1718-453b-9336-2a509103536b",
"id" : "CVE-2021-32796",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.0,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.3,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"cwes" : [
116,
91
],
"description" : "xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
"published" : "2021-07-27T22:15:00Z",
"updated" : "2024-11-21T06:07:00Z",
"affects" : [
{
"ref" : "b4c54966-788d-435f-b3cf-3c889d8ad20c"
}
]
},
{
"bom-ref" : "f8f7b6f1-354f-4f59-b123-ad986ddd3dfe",
"id" : "CVE-2022-37616",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states \"we are in the process of marking this report as invalid\"; however, some third parties takes the position that \"A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted.\"",
"published" : "2022-10-11T05:15:00Z",
"updated" : "2024-11-21T07:15:00Z",
"affects" : [
{
"ref" : "b4c54966-788d-435f-b3cf-3c889d8ad20c"
}
]
},
{
"bom-ref" : "843521c9-0818-4a19-abd9-e8c3cc0aafad",
"id" : "CVE-2022-39353",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description" : "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.",
"published" : "2022-11-02T17:15:00Z",
"updated" : "2024-11-21T07:18:00Z",
"affects" : [
{
"ref" : "b4c54966-788d-435f-b3cf-3c889d8ad20c"
}
]
},
{
"bom-ref" : "15021485-3fde-4f44-abad-711f66be91b5",
"id" : "CVE-2024-39249",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.",
"published" : "2024-07-01T20:15:00Z",
"updated" : "2024-11-21T09:27:00Z",
"affects" : [
{
"ref" : "bf9977a0-8e7b-46d8-afb5-64022026f5d9"
}
]
},
{
"bom-ref" : "0c9f7fd2-5371-4d3f-ab67-c994bd4c679a",
"id" : "CVE-2022-29256",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 4.6,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:L/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.7,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
78
],
"description" : "sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.",
"published" : "2022-05-25T22:15:00Z",
"updated" : "2024-11-21T06:58:00Z",
"affects" : [
{
"ref" : "880fb3fa-a744-45df-b2c1-00cb6f72211f"
}
]
},
{
"bom-ref" : "1b6f91ca-fffc-4345-8ab7-7597a0ae6bcf",
"id" : "CVE-2023-4863",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 8.8,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
787
],
"description" : "Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)",
"published" : "2023-09-12T15:15:00Z",
"updated" : "2025-03-13T16:17:00Z",
"affects" : [
{
"ref" : "880fb3fa-a744-45df-b2c1-00cb6f72211f"
}
]
},
{
"bom-ref" : "c8fea6a7-9b3c-466c-a589-a72306a9ce72",
"id" : "CVE-2022-21704",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 2.1,
"severity" : "low",
"method" : "CVSSv2",
"vector" : "(AV:L/AC:L/Au:N/C:P/I:N/A:N)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 5.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"description" : "log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.",
"published" : "2022-01-19T23:15:00Z",
"updated" : "2024-11-21T06:45:00Z",
"affects" : [
{
"ref" : "f290afdf-abb9-4378-a2d1-474ff032c50f"
}
]
},
{
"bom-ref" : "cc75c828-6db7-4416-b560-e7bcf1b89004",
"id" : "CVE-2024-12905",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.",
"published" : "2025-03-27T17:15:00Z",
"updated" : "2025-03-28T18:11:00Z",
"affects" : [
{
"ref" : "884fd750-9b3c-4a31-b6ce-d44b0bbc400f"
}
]
},
{
"bom-ref" : "cc75c828-6db7-4416-b560-e7bcf1b89004",
"id" : "CVE-2024-12905",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.",
"published" : "2025-03-27T17:15:00Z",
"updated" : "2025-03-28T18:11:00Z",
"affects" : [
{
"ref" : "9a84b1d5-c33c-44ff-b698-15d37e6de628"
}
]
},
{
"bom-ref" : "684cc00c-c591-4cdf-bebf-bc9bbe701325",
"id" : "CVE-2024-53900",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.",
"published" : "2024-12-02T20:15:00Z",
"updated" : "2024-12-04T04:15:00Z",
"affects" : [
{
"ref" : "75f6834d-0b5b-4901-8214-af9ac8840383"
}
]
},
{
"bom-ref" : "0e10bfc0-e708-473d-8dbd-c8098a6c2b1a",
"id" : "CVE-2022-0144",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 3.6,
"severity" : "low",
"method" : "CVSSv2",
"vector" : "(AV:L/AC:L/Au:N/C:P/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 7.1,
"severity" : "high",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
}
],
"description" : "shelljs is vulnerable to Improper Privilege Management",
"published" : "2022-01-11T07:15:00Z",
"updated" : "2024-11-21T06:37:00Z",
"affects" : [
{
"ref" : "09ac9539-9841-4d6d-a508-73b45881b027"
}
]
},
{
"bom-ref" : "9e0913e6-22ca-4fe7-a3bd-6ed5596c5b51",
"id" : "CVE-2023-26136",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 9.8,
"severity" : "critical",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes" : [
1321
],
"description" : "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.",
"published" : "2023-07-01T05:15:00Z",
"updated" : "2024-11-21T07:50:00Z",
"affects" : [
{
"ref" : "5fc10ed3-fcc4-4df4-87a7-e08b959803e5"
}
]
},
{
"bom-ref" : "115bb632-9607-4316-843a-17fa2b821b5a",
"id" : "CVE-2023-28155",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.1,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes" : [
918
],
"description" : "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"published" : "2023-03-16T15:15:00Z",
"updated" : "2024-11-21T07:54:00Z",
"affects" : [
{
"ref" : "f1d102fb-2e4b-4df6-9b00-9a9a3f9b06ac"
}
]
},
{
"bom-ref" : "a87e2fa7-e3c7-41f8-b2f7-9e8b7a7c8caa",
"id" : "CVE-2024-28863",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"severity" : "unknown",
"method" : "other"
}
],
"description" : "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",
"published" : "2024-03-21T23:15:00Z",
"updated" : "2024-11-21T09:07:00Z",
"affects" : [
{
"ref" : "6aab9551-a356-4023-bcff-aab8cbe8e87b"
}
]
},
{
"bom-ref" : "6b3e2893-841a-4671-866e-448d4875bbc4",
"id" : "CVE-2020-8244",
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"ratings" : [
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.4,
"severity" : "medium",
"method" : "CVSSv2",
"vector" : "(AV:N/AC:L/Au:N/C:P/I:N/A:P)"
},
{
"source" : {
"name" : "NVD",
"url" : "https://nvd.nist.gov/"
},
"score" : 6.5,
"severity" : "medium",
"method" : "CVSSv3",
"vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
}
],
"cwes" : [
125
],
"description" : "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.",
"published" : "2020-08-30T15:15:00Z",
"updated" : "2024-11-21T05:38:00Z",
"affects" : [
{
"ref" : "703da775-aa28-4d02-a68d-51814ec5759b"
}
]
}
]
}