Skip to content

NPM Vulnerability Report #45

New issue
New issue
Open
Open
NPM Vulnerability Report#45
@github-actions

Description

@github-actions
github-actions
bot
opened on Oct 1, 2024

NPM Vulnerability Report - Tuesday, October 1st, 2024

NPM packages have been checked for vulnerabilities using npm audit.

HIGHEST_SEVERITY

⚠️ - 2 MODERATE severity vulnerabilities.
⚠️ - 3 HIGH severity vulnerabilities.


body-parser_header

Severity: high
Vulnerable Range: <1.20.3

Via:

Expand to see vulnerability details.

1: body-parser vulnerable to denial of service when url encoding is enabled.

Severity: high
Vulnerable Range: <1.20.3
CVSS Score: 7.5 / 10
Weaknesses: CWE-405

GitHub Advisory


Latest Available Version: 1.20.3

This dependency has a fix available, but body-parser is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.

express_header

Severity: high
Vulnerable Range: <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3

Via:

Expand to see vulnerability details.

1: express vulnerable to XSS via response.redirect().

Severity: moderate
Vulnerable Range: <4.20.0
CVSS Score: 5 / 10
Weaknesses: CWE-79

GitHub Advisory

Via body-parser

Via path-to-regexp

Via send

Via serve-static


Latest Available Version: 4.21.0

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update express to 4.21.0.


path-to-regexp_header

Severity: high
Vulnerable Range: <0.1.10

Via:

Expand to see vulnerability details.

1: path-to-regexp outputs backtracking regular expressions.

Severity: high
Vulnerable Range: <0.1.10
CVSS Score: 7.5 / 10
Weaknesses: CWE-1333

GitHub Advisory


Latest Available Version: 8.2.0

This dependency has a fix available, but path-to-regexp is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.

send_header

Severity: moderate
Vulnerable Range: <0.19.0

Via:

Expand to see vulnerability details.

1: send vulnerable to template injection that can lead to XSS.

Severity: moderate
Vulnerable Range: <0.19.0
CVSS Score: 5 / 10
Weaknesses: CWE-79

GitHub Advisory


Latest Available Version: 0.19.0

This dependency has a fix available, but send is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.

  • Direct dependency semver does NOT have a fix available.

  • Direct dependency tslib may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of tslib available.

Update from version 2.6.2 to 2.7.0.


serve-static_header

Severity: moderate
Vulnerable Range: <=1.16.0

Via:

Expand to see vulnerability details.

1: serve-static vulnerable to template injection that can lead to XSS.

Severity: moderate
Vulnerable Range: <1.16.0
CVSS Score: 5 / 10
Weaknesses: CWE-79

GitHub Advisory

Via send


Latest Available Version: 1.16.2

This dependency has a fix available, but serve-static is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions