Description
Vulnerable Library - react-scripts-3.4.1.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/qs/package.json
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (react-scripts version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|
| CVE-616547-419802 |  Critical |
9.8 | parseurl-1.3.3.tgz | Transitive | N/A* | ❌ |
|
| CVE-289561-266276 | Critical |
9.8 | inherits-2.0.4.tgz | Transitive | N/A* | ❌ |
|
| CVE-2022-38900 |  High |
7.5 | decode-uri-component-0.2.0.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2022-24999 | High |
7.5 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-636288-474053 | Critical |
9.8 | on-headers-1.0.2.tgz | Transitive | N/A* | ❌ |
|
| CVE-2022-37601 | Critical |
9.8 | detected in multiple dependencies | Transitive | 4.0.0 | ✅ |
|
| CVE-2021-44906 | Critical |
9.8 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-26707 | Critical |
9.8 | merge-deep-3.0.2.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2019-10747 | Critical |
9.8 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2019-10746 | Critical |
9.8 | mixin-deep-1.3.1.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2020-7660 | High |
8.1 | serialize-javascript-2.1.2.tgz | Transitive | 3.4.3 | ✅ |
|
| CVE-2020-15256 | High |
7.7 | object-path-0.11.4.tgz | Transitive | 3.4.4 | ✅ |
|
| WS-2021-0152 | High |
7.5 | color-string-1.5.3.tgz | Transitive | 3.4.2 | ✅ |
|
| WS-2020-0091 | High |
7.5 | http-proxy-1.18.0.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2024-4068 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
|
| CVE-2022-37603 | High |
7.5 | detected in multiple dependencies | Transitive | 4.0.0 | ✅ |
|
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
|
| CVE-2021-3807 | High |
7.5 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-28092 | High |
7.5 | is-svg-3.0.0.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-27290 | High |
7.5 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2020-7662 | High |
7.5 | websocket-extensions-0.1.3.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2020-28477 | High |
7.5 | immer-1.10.0.tgz | Transitive | 4.0.0 | ✅ |
|
| CVE-2019-20149 | High |
7.5 | kind-of-6.0.2.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2022-46175 | High |
7.1 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2022-0155 |  Medium |
6.5 | follow-redirects-1.11.0.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
|
| WS-2019-0424 | Medium |
5.9 | elliptic-6.5.2.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-24033 | Medium |
5.6 | react-dev-utils-10.2.1.tgz | Transitive | 4.0.0 | ✅ |
|
| CVE-2020-7598 | Medium |
5.6 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2020-15366 | Medium |
5.6 | ajv-6.12.2.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-32640 | Medium |
5.3 | detected in multiple dependencies | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-23382 | Medium |
5.3 | detected in multiple dependencies | Transitive | 4.0.0 | ✅ |
|
| CVE-2021-23368 | Medium |
5.3 | postcss-7.0.30.tgz | Transitive | 4.0.0 | ✅ |
|
| CVE-2021-23364 | Medium |
5.3 | browserslist-4.10.0.tgz | Transitive | 5.0.0 | ✅ |
|
| CVE-2021-23362 | Medium |
5.3 | hosted-git-info-2.8.8.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2021-23343 | Medium |
5.3 | path-parse-1.0.6.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2020-7693 | Medium |
5.3 | sockjs-0.3.19.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2020-7608 | Medium |
5.3 | yargs-parser-11.1.1.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2022-0536 |  Low |
2.6 | follow-redirects-1.11.0.tgz | Transitive | 3.4.2 | ✅ |
|
| CVE-2024-10491 | Medium |
4.0 | express-4.17.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-616547-419802
Vulnerable Library - parseurl-1.3.3.tgz
parse a url with memoization
Library home page: https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/parseurl/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
- express-4.17.1.tgz
- ❌ parseurl-1.3.3.tgz (Vulnerable Library)
- express-4.17.1.tgz
- webpack-dev-server-3.10.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
parseurl-1.3.3/index.js (Application)
-> express-4.17.1/lib/middleware/query.js (Extension)
-> express-4.17.1/lib/express.js (Extension)
-> express-4.17.1/index.js (Extension)
-> ❌ concord-console-1.0.0/scripts/devServer.js (Vulnerable Component)
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-616547-419802
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/hash-base/node_modules/inherits/package.json,/console2/node_modules/send/node_modules/inherits/package.json,/console2/node_modules/browserify-sign/node_modules/inherits/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
- express-4.17.1.tgz
- send-0.17.1.tgz
- http-errors-1.7.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
- http-errors-1.7.3.tgz
- send-0.17.1.tgz
- express-4.17.1.tgz
- webpack-dev-server-3.10.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
inherits-2.0.4/inherits.js (Application)
-> http-errors-1.7.3/index.js (Extension)
-> send-0.17.1/index.js (Extension)
-> express-4.17.1/lib/response.js (Extension)
-> express-4.17.1/lib/express.js (Extension)
-> express-4.17.1/index.js (Extension)
-> ❌ concord-console-1.0.0/scripts/devServer.js (Vulnerable Component)
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-289561-266276
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-4.42.0.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.2.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- source-map-resolve-0.5.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- webpack-4.42.0.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
concord-console-1.0.0/src/components/organisms/ProcessListActivity/index.tsx (Application)
-> query-string-6.12.1/index.js (Extension)
-> ❌ decode-uri-component-0.2.0/index.js (Vulnerable Component)
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24999
Vulnerable Libraries - qs-6.7.0.tgz, qs-6.5.2.tgz
qs-6.7.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/express/node_modules/qs/package.json,/console2/node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
- express-4.17.1.tgz
- ❌ qs-6.7.0.tgz (Vulnerable Library)
- express-4.17.1.tgz
- webpack-dev-server-3.10.3.tgz
qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/qs/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- jest-environment-jsdom-fourteen-1.0.1.tgz
- jsdom-14.1.0.tgz
- request-2.88.2.tgz
- ❌ qs-6.5.2.tgz (Vulnerable Library)
- request-2.88.2.tgz
- jsdom-14.1.0.tgz
- jest-environment-jsdom-fourteen-1.0.1.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
qs-6.7.0/lib/parse.js (Application)
-> qs-6.7.0/lib/index.js (Extension)
-> express-4.17.1/lib/middleware/query.js (Extension)
-> express-4.17.1/lib/express.js (Extension)
-> express-4.17.1/index.js (Extension)
-> ❌ concord-console-1.0.0/scripts/devServer.js (Vulnerable Component)
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.7.3
Direct dependency fix Resolution (react-scripts): 3.4.2
Fix Resolution (qs): 6.7.3
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-636288-474053
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/on-headers/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
- compression-1.7.4.tgz
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
- compression-1.7.4.tgz
- webpack-dev-server-3.10.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-636288-474053
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2022-37601
Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-1.2.3.tgz
loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- sass-loader-8.0.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- sass-loader-8.0.2.tgz
loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/console2/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/console2/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- react-dev-utils-10.2.1.tgz
- ❌ loader-utils-1.2.3.tgz (Vulnerable Library)
- react-dev-utils-10.2.1.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-44906
Vulnerable Libraries - minimist-1.2.5.tgz, minimist-0.0.8.tgz, minimist-1.2.0.tgz
minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/json5/node_modules/minimist/package.json,/console2/node_modules/babel-loader/node_modules/minimist/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- core-7.9.0.tgz
- json5-2.1.3.tgz
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
- json5-2.1.3.tgz
- core-7.9.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- eslint-6.8.0.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- eslint-6.8.0.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/minimist/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- babel-jest-24.9.0.tgz
- transform-24.9.0.tgz
- jest-haste-map-24.9.0.tgz
- sane-4.1.0.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- sane-4.1.0.tgz
- jest-haste-map-24.9.0.tgz
- transform-24.9.0.tgz
- babel-jest-24.9.0.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (react-scripts): 3.4.2
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (react-scripts): 3.4.2
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-26707
Vulnerable Library - merge-deep-3.0.2.tgz
Recursively merge values in a javascript object.
Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/merge-deep/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-4.3.3.tgz
- plugin-svgo-4.3.1.tgz
- ❌ merge-deep-3.0.2.tgz (Vulnerable Library)
- plugin-svgo-4.3.1.tgz
- webpack-4.3.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
Publish Date: 2021-06-02
URL: CVE-2021-26707
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259
Release Date: 2021-06-02
Fix Resolution (merge-deep): 3.0.3
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-10747
Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/set-value/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-4.42.0.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- cache-base-1.0.1.tgz
- ❌ set-value-2.0.0.tgz (Vulnerable Library)
- cache-base-1.0.1.tgz
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- webpack-4.42.0.tgz
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-4.42.0.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- cache-base-1.0.1.tgz
- union-value-1.0.0.tgz
- ❌ set-value-0.4.3.tgz (Vulnerable Library)
- union-value-1.0.0.tgz
- cache-base-1.0.1.tgz
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- webpack-4.42.0.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (react-scripts): 3.4.2
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-10746
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/mixin-deep/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-4.42.0.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- webpack-4.42.0.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7660
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- terser-webpack-plugin-2.3.5.tgz
- ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)
- terser-webpack-plugin-2.3.5.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (react-scripts): 3.4.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-15256
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/object-path/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- resolve-url-loader-3.1.1.tgz
- adjust-sourcemap-loader-2.0.0.tgz
- ❌ object-path-0.11.4.tgz (Vulnerable Library)
- adjust-sourcemap-loader-2.0.0.tgz
- resolve-url-loader-3.1.1.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A prototype pollution vulnerability has been found in "object-path" <= 0.11.4 affecting the "set()" method. The vulnerability is limited to the "includeInheritedProps" mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of "object-path" and setting the option "includeInheritedProps: true", or by using the default "withInheritedProps" instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of "set()" in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the "includeInheritedProps: true" options or the "withInheritedProps" instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (react-scripts): 3.4.4
⛑️ Automatic Remediation will be attempted for this issue.
WS-2021-0152
Vulnerable Library - color-string-1.5.3.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/color-string/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- optimize-css-assets-webpack-plugin-5.0.3.tgz
- cssnano-4.1.10.tgz
- cssnano-preset-default-4.0.7.tgz
- postcss-colormin-4.0.3.tgz
- color-3.1.2.tgz
- ❌ color-string-1.5.3.tgz (Vulnerable Library)
- color-3.1.2.tgz
- postcss-colormin-4.0.3.tgz
- cssnano-preset-default-4.0.7.tgz
- cssnano-4.1.10.tgz
- optimize-css-assets-webpack-plugin-5.0.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
WS-2020-0091
Vulnerable Library - http-proxy-1.18.0.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/http-proxy/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
- http-proxy-middleware-0.19.1.tgz
- ❌ http-proxy-1.18.0.tgz (Vulnerable Library)
- http-proxy-middleware-0.19.1.tgz
- webpack-dev-server-3.10.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (react-scripts): 3.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-4068
Vulnerable Libraries - braces-3.0.2.tgz, braces-2.3.2.tgz
braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/chokidar/node_modules/braces/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- react-dev-utils-10.2.1.tgz
- fork-ts-checker-webpack-plugin-3.1.1.tgz
- chokidar-3.4.0.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
- chokidar-3.4.0.tgz
- fork-ts-checker-webpack-plugin-3.1.1.tgz
- react-dev-utils-10.2.1.tgz
braces-2.3.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/braces/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
- chokidar-2.1.8.tgz
- ❌ braces-2.3.2.tgz (Vulnerable Library)
- chokidar-2.1.8.tgz
- webpack-dev-server-3.10.3.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
CVE-2022-37603
Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-1.2.3.tgz
loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- sass-loader-8.0.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- sass-loader-8.0.2.tgz
loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/console2/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/console2/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- react-dev-utils-10.2.1.tgz
- ❌ loader-utils-1.2.3.tgz (Vulnerable Library)
- react-dev-utils-10.2.1.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (react-scripts): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /console2/package.json
Path to vulnerable library: /console2/node_modules/minimatch/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- babel-jest-24.9.0.tgz
- babel-plugin-istanbul-5.2.0.tgz
- test-exclude-5.2.3.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- test-exclude-5.2.3.tgz
- babel-plugin-istanbul-5.2.0.tgz
- babel-jest-24.9.0.tgz
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
⛑️Automatic Remediation will be attempted for this issue.