Vulnerable Library - react-scripts-5.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (react-scripts version) |
Remediation Possible** |
| CVE-2025-7783 |
 High |
8.7 |
form-data-3.0.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-52798 |
High |
7.5 |
path-to-regexp-0.1.7.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-45590 |
High |
7.5 |
body-parser-1.20.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-45296 |
High |
7.5 |
path-to-regexp-0.1.7.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-21538 |
High |
7.5 |
cross-spawn-7.0.3.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-21536 |
High |
7.5 |
http-proxy-middleware-2.0.6.tgz |
Transitive |
N/A* |
❌ |
| CVE-2021-3803 |
High |
7.5 |
nth-check-1.0.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-30360 |
 Medium |
6.5 |
webpack-dev-server-4.15.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-43788 |
Medium |
6.4 |
webpack-5.93.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-27789 |
Medium |
6.2 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2024-47068 |
Medium |
6.1 |
rollup-2.79.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-11831 |
Medium |
5.4 |
serialize-javascript-4.0.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-30359 |
Medium |
5.3 |
webpack-dev-server-4.15.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-47764 |
Medium |
5.3 |
cookie-0.6.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-4067 |
Medium |
5.3 |
micromatch-4.0.7.tgz |
Transitive |
N/A* |
❌ |
| CVE-2023-44270 |
Medium |
5.3 |
postcss-7.0.39.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-43800 |
Medium |
5.0 |
serve-static-1.15.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-43799 |
Medium |
5.0 |
send-0.18.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-43796 |
Medium |
5.0 |
express-4.19.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-55565 |
Medium |
4.3 |
nanoid-3.3.7.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-32997 |
Medium |
4.0 |
http-proxy-middleware-2.0.6.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-32996 |
Medium |
4.0 |
http-proxy-middleware-2.0.6.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-7339 |
 Low |
3.4 |
on-headers-1.0.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-5889 |
Low |
3.1 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2025-7783
Vulnerable Library - form-data-3.0.1.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- jest-27.5.1.tgz
- core-27.5.1.tgz
- jest-config-27.5.1.tgz
- jest-environment-jsdom-27.5.1.tgz
- jsdom-16.7.0.tgz
- ❌ form-data-3.0.1.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: form-data/form-data@3d17230
Release Date: 2025-07-18
Fix Resolution: https://github.com/form-data/form-data.git - v3.0.4
CVE-2024-52798
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- express-4.19.2.tgz
- ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Publish Date: 2024-12-05
URL: CVE-2024-52798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rhx6-c78j-4q9w
Release Date: 2024-12-05
Fix Resolution: path-to-regexp - 0.1.12
CVE-2024-45590
Vulnerable Library - body-parser-1.20.2.tgz
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- express-4.19.2.tgz
- ❌ body-parser-1.20.2.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: 2024-09-10
URL: CVE-2024-45590
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qwcr-r2fm-qrc7
Release Date: 2024-09-10
Fix Resolution: body-parser - 1.20.3
CVE-2024-45296
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- express-4.19.2.tgz
- ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution: path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0
CVE-2024-21538
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- react-dev-utils-12.0.1.tgz
- ❌ cross-spawn-7.0.3.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: https://github.com/moxystudio/node-cross-spawn.git - v7.0.5
CVE-2024-21536
Vulnerable Library - http-proxy-middleware-2.0.6.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- ❌ http-proxy-middleware-2.0.6.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Publish Date: 2024-10-19
URL: CVE-2024-21536
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-5.5.0.tgz
- plugin-svgo-5.5.0.tgz
- svgo-1.3.2.tgz
- css-select-2.1.0.tgz
- ❌ nth-check-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
CVE-2025-30360
Vulnerable Library - webpack-dev-server-4.15.2.tgz
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- ❌ webpack-dev-server-4.15.2.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The "Origin" header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address "Origin" headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30360
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jgg-88mc-972h
Release Date: 2025-06-03
Fix Resolution: https://github.com/webpack/webpack-dev-server.git - v5.2.1
CVE-2024-43788
Vulnerable Library - webpack-5.93.0.tgz
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.93.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- ❌ webpack-5.93.0.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-08-27
URL: CVE-2024-43788
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: 2024-08-27
Fix Resolution: webpack - 5.94.0
CVE-2025-27789
Vulnerable Libraries - runtime-7.25.0.tgz, helpers-7.25.0.tgz
runtime-7.25.0.tgz
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- workbox-webpack-plugin-6.6.0.tgz
- workbox-build-6.6.0.tgz
- ❌ runtime-7.25.0.tgz (Vulnerable Library)
helpers-7.25.0.tgz
Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- core-7.25.2.tgz
- ❌ helpers-7.25.0.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: 2025-03-11
URL: CVE-2025-27789
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: 2025-03-11
Fix Resolution: @babel/runtime-corejs2 - 7.26.10
CVE-2024-47068
Vulnerable Library - rollup-2.79.1.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-2.79.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- workbox-webpack-plugin-6.6.0.tgz
- workbox-build-6.6.0.tgz
- ❌ rollup-2.79.1.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-09-23
URL: CVE-2024-47068
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-gcx4-mw62-g8wm
Release Date: 2024-09-23
Fix Resolution: rollup - 3.29.5
CVE-2024-11831
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- workbox-webpack-plugin-6.6.0.tgz
- workbox-build-6.6.0.tgz
- rollup-plugin-terser-7.0.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: 2025-02-10
URL: CVE-2024-11831
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: 2025-02-10
Fix Resolution: serialize-javascript - 6.0.2
CVE-2025-30359
Vulnerable Library - webpack-dev-server-4.15.2.tgz
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- ❌ webpack-dev-server-4.15.2.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using "Function::toString" against the values in "webpack_modules", the attacker can get the source code. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30359
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4v9v-hfq4-rm2v
Release Date: 2025-06-03
Fix Resolution: webpack-dev-server - 5.2.1
CVE-2024-47764
Vulnerable Library - cookie-0.6.0.tgz
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- express-4.19.2.tgz
- ❌ cookie-0.6.0.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: 2024-10-04
URL: CVE-2024-47764
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: 2024-10-04
Fix Resolution: cookie - 0.7.0
CVE-2024-4067
Vulnerable Library - micromatch-4.0.7.tgz
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- jest-resolve-27.5.1.tgz
- jest-haste-map-27.5.1.tgz
- ❌ micromatch-4.0.7.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.braces()" in "index.js" because the pattern ".*" will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8. After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.
Publish Date: 2024-05-13
URL: CVE-2024-4067
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/micromatch/micromatch/releases/tag/4.0.8
Release Date: 2024-05-13
Fix Resolution: micromatch - 4.0.8
CVE-2023-44270
Vulnerable Library - postcss-7.0.39.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.39.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- resolve-url-loader-4.0.0.tgz
- ❌ postcss-7.0.39.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7fh5-64p2-3v2j
Release Date: 2023-09-29
Fix Resolution: postcss - 8.4.31
CVE-2024-43800
Vulnerable Library - serve-static-1.15.0.tgz
Serve static files
Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- express-4.19.2.tgz
- ❌ serve-static-1.15.0.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Publish Date: 2024-09-10
URL: CVE-2024-43800
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cm22-4g7w-348p
Release Date: 2024-09-10
Fix Resolution: serve-static - 1.16.0,2.1.0
CVE-2024-43799
Vulnerable Library - send-0.18.0.tgz
Better streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.18.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- express-4.19.2.tgz
- ❌ send-0.18.0.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
Publish Date: 2024-09-10
URL: CVE-2024-43799
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-m6fv-jmcg-4jfg
Release Date: 2024-09-10
Fix Resolution: send - 0.19.0
CVE-2024-43796
Vulnerable Library - express-4.19.2.tgz
Library home page: https://registry.npmjs.org/express/-/express-4.19.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- ❌ express-4.19.2.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: 2024-09-10
URL: CVE-2024-43796
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: 2024-09-10
Fix Resolution: express - 4.20.0,5.0.0
CVE-2024-55565
Vulnerable Library - nanoid-3.3.7.tgz
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- postcss-8.4.41.tgz
- ❌ nanoid-3.3.7.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: 2024-12-09
URL: CVE-2024-55565
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: ai/nanoid@d643045
Release Date: 2024-12-09
Fix Resolution: https://github.com/ai/nanoid.git - 5.0.9
CVE-2025-32997
Vulnerable Library - http-proxy-middleware-2.0.6.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- ❌ http-proxy-middleware-2.0.6.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
Publish Date: 2025-04-15
URL: CVE-2025-32997
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: chimurai/http-proxy-middleware@1bdccbe
Release Date: 2025-04-15
Fix Resolution: https://github.com/chimurai/http-proxy-middleware.git - v3.0.5
CVE-2025-32996
Vulnerable Library - http-proxy-middleware-2.0.6.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- ❌ http-proxy-middleware-2.0.6.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
Publish Date: 2025-04-15
URL: CVE-2025-32996
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: chimurai/http-proxy-middleware@0209760
Release Date: 2025-04-15
Fix Resolution: http-proxy-middleware - 2.0.8
CVE-2025-7339
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.15.2.tgz
- compression-1.7.4.tgz
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-17
URL: CVE-2025-7339
CVSS 3 Score Details (3.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-76c9-3jph-rj3q
Release Date: 2025-07-17
Fix Resolution: https://github.com/jshttp/on-headers.git - v1.1.0
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - form-data-3.0.1.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: form-data/form-data@3d17230
Release Date: 2025-07-18
Fix Resolution: https://github.com/form-data/form-data.git - v3.0.4
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Publish Date: 2024-12-05
URL: CVE-2024-52798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rhx6-c78j-4q9w
Release Date: 2024-12-05
Fix Resolution: path-to-regexp - 0.1.12
Vulnerable Library - body-parser-1.20.2.tgz
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: 2024-09-10
URL: CVE-2024-45590
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qwcr-r2fm-qrc7
Release Date: 2024-09-10
Fix Resolution: body-parser - 1.20.3
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution: path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: https://github.com/moxystudio/node-cross-spawn.git - v7.0.5
Vulnerable Library - http-proxy-middleware-2.0.6.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Publish Date: 2024-10-19
URL: CVE-2024-21536
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Vulnerable Library - webpack-dev-server-4.15.2.tgz
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The "Origin" header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address "Origin" headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30360
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9jgg-88mc-972h
Release Date: 2025-06-03
Fix Resolution: https://github.com/webpack/webpack-dev-server.git - v5.2.1
Vulnerable Library - webpack-5.93.0.tgz
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.93.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-08-27
URL: CVE-2024-43788
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: 2024-08-27
Fix Resolution: webpack - 5.94.0
Vulnerable Libraries - runtime-7.25.0.tgz, helpers-7.25.0.tgz
runtime-7.25.0.tgz
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
helpers-7.25.0.tgz
Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: 2025-03-11
URL: CVE-2025-27789
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: 2025-03-11
Fix Resolution: @babel/runtime-corejs2 - 7.26.10
Vulnerable Library - rollup-2.79.1.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-2.79.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from
import.meta(e.g.,import.meta.url) incjs/umd/iifeformat. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animgtag with an unsanitizednameattribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-09-23
URL: CVE-2024-47068
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gcx4-mw62-g8wm
Release Date: 2024-09-23
Fix Resolution: rollup - 3.29.5
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: 2025-02-10
URL: CVE-2024-11831
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: 2025-02-10
Fix Resolution: serialize-javascript - 6.0.2
Vulnerable Library - webpack-dev-server-4.15.2.tgz
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using "Function::toString" against the values in "webpack_modules", the attacker can get the source code. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30359
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4v9v-hfq4-rm2v
Release Date: 2025-06-03
Fix Resolution: webpack-dev-server - 5.2.1
Vulnerable Library - cookie-0.6.0.tgz
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: 2024-10-04
URL: CVE-2024-47764
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: 2024-10-04
Fix Resolution: cookie - 0.7.0
Vulnerable Library - micromatch-4.0.7.tgz
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.braces()" in "index.js" because the pattern ".*" will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8. After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.
Publish Date: 2024-05-13
URL: CVE-2024-4067
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/micromatch/micromatch/releases/tag/4.0.8
Release Date: 2024-05-13
Fix Resolution: micromatch - 4.0.8
Vulnerable Library - postcss-7.0.39.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.39.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7fh5-64p2-3v2j
Release Date: 2023-09-29
Fix Resolution: postcss - 8.4.31
Vulnerable Library - serve-static-1.15.0.tgz
Serve static files
Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Publish Date: 2024-09-10
URL: CVE-2024-43800
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cm22-4g7w-348p
Release Date: 2024-09-10
Fix Resolution: serve-static - 1.16.0,2.1.0
Vulnerable Library - send-0.18.0.tgz
Better streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.18.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
Publish Date: 2024-09-10
URL: CVE-2024-43799
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-m6fv-jmcg-4jfg
Release Date: 2024-09-10
Fix Resolution: send - 0.19.0
Vulnerable Library - express-4.19.2.tgz
Library home page: https://registry.npmjs.org/express/-/express-4.19.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: 2024-09-10
URL: CVE-2024-43796
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: 2024-09-10
Fix Resolution: express - 4.20.0,5.0.0
Vulnerable Library - nanoid-3.3.7.tgz
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: 2024-12-09
URL: CVE-2024-55565
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: ai/nanoid@d643045
Release Date: 2024-12-09
Fix Resolution: https://github.com/ai/nanoid.git - 5.0.9
Vulnerable Library - http-proxy-middleware-2.0.6.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
Publish Date: 2025-04-15
URL: CVE-2025-32997
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: chimurai/http-proxy-middleware@1bdccbe
Release Date: 2025-04-15
Fix Resolution: https://github.com/chimurai/http-proxy-middleware.git - v3.0.5
Vulnerable Library - http-proxy-middleware-2.0.6.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
Publish Date: 2025-04-15
URL: CVE-2025-32996
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: chimurai/http-proxy-middleware@0209760
Release Date: 2025-04-15
Fix Resolution: http-proxy-middleware - 2.0.8
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c482223a03afb35b916788764518f0baa8b6dafc
Found in base branch: main
Vulnerability Details
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-17
URL: CVE-2025-7339
CVSS 3 Score Details (3.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-76c9-3jph-rj3q
Release Date: 2025-07-17
Fix Resolution: https://github.com/jshttp/on-headers.git - v1.1.0