@storm-stack/core-0.33.1.tgz: 2 vulnerabilities (highest severity is: 4.3) #172
Description
Vulnerable Library - @storm-stack/core-0.33.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@storm-stack/core version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-8263 |  Medium |
4.3 | prettier-3.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2025-7339 |  Low |
3.4 | on-headers-1.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-8263
Vulnerable Library - prettier-3.5.3.tgz
Prettier is an opinionated code formatter
Library home page: https://registry.npmjs.org/prettier/-/prettier-3.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.33.1.tgz (Root Library)
- ❌ prettier-3.5.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A vulnerability was found in prettier up to 3.6.2. It has been declared as problematic. Affected by this vulnerability is the function parseNestedCSS of the file src/language-css/parser-postcss.js. The manipulation of the argument node leads to inefficient regular expression complexity. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Publish Date: 2025-07-28
URL: CVE-2025-8263
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2025-7339
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.33.1.tgz (Root Library)
- @rspack/cli-1.4.1.tgz
- dev-server-1.1.3.tgz
- webpack-dev-server-5.2.2.tgz
- compression-1.8.0.tgz
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
- compression-1.8.0.tgz
- webpack-dev-server-5.2.2.tgz
- dev-server-1.1.3.tgz
- @rspack/cli-1.4.1.tgz
Found in base branch: main
Vulnerability Details
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-17
URL: CVE-2025-7339
CVSS 3 Score Details (3.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Step up your Open Source Security Game with Mend here