stavros-k / docs Goto Github PK

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

core-2.0.0-beta.21.tgz (Root Library)
- mdx-loader-2.0.0-beta.21.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: fce7084a09264a267ce5ab68d95ee814e6662a5b

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

core-2.0.0-beta.21.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: fce7084a09264a267ce5ab68d95ee814e6662a5b

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

@docusaurus/core-2.0.0-rc.1.tgz: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - @docusaurus/core-2.0.0-rc.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Found in HEAD commit: 2c706c0dbf4d435f893d00089a7ef3305fe05b09

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌
CVE-2022-25858	Medium	5.3	terser-5.14.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.0-rc.1.tgz (Root Library)
- @docusaurus/mdx-loader-2.0.0-rc.1.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 2c706c0dbf4d435f893d00089a7ef3305fe05b09

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.0-rc.1.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 2c706c0dbf4d435f893d00089a7ef3305fe05b09

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.0-rc.1.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 2c706c0dbf4d435f893d00089a7ef3305fe05b09

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

🤖 Renovate Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Warning

Renovate failed to look up the following dependencies: Could not determine new digest for update (github-tags package c2corg/browserslist-update-action).

Files affected: .github/workflows/update-browserlist.yml

This repository currently has no open or pending branches.

Detected dependencies

github-actions

.github/workflows/codeql-analysis.yml

actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11

github/codeql-action v3@47b3d888fe66b639e431abf22ebca059152f1eea

github/codeql-action v3@47b3d888fe66b639e431abf22ebca059152f1eea

.github/workflows/test-build.yml

actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11

actions/setup-node v4@60edb5dd545a775178f52524783378180af0d1f8

.github/workflows/update-browserlist.yml

actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11

c2corg/browserslist-update-action v2@0e432e6c50c3c06fcb785a3ba475d462dd93272e

npm

package.json

@astrojs/check 0.5.5

@astrojs/starlight 0.20.0

astro 4.4.4

sharp 0.33.2

starlight-links-validator ^0.5.2

typescript 5.3.3

nvm

.nvmrc

node 20.11.1

Check this box to trigger a request for Renovate to run again on this repository

core-2.0.1.tgz: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - core-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Found in HEAD commit: b9edbd4700b4b50936d471b4605ce680eeddf9d0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-25858	High	7.5	terser-5.14.0.tgz	Transitive	N/A	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

core-2.0.1.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: b9edbd4700b4b50936d471b4605ce680eeddf9d0

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

core-2.0.1.tgz (Root Library)
- mdx-loader-2.0.1.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b9edbd4700b4b50936d471b4605ce680eeddf9d0

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

core-2.0.1.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: b9edbd4700b4b50936d471b4605ce680eeddf9d0

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

@docusaurus/core-2.0.0-beta.22.tgz: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - @docusaurus/core-2.0.0-beta.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Found in HEAD commit: d36578232c7106c270c86fa16deba839fb1e23aa

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.0-beta.22.tgz (Root Library)
- @docusaurus/mdx-loader-2.0.0-beta.22.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: d36578232c7106c270c86fa16deba839fb1e23aa

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.0-beta.22.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: d36578232c7106c270c86fa16deba839fb1e23aa

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

core-2.0.0-beta.22.tgz: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - core-2.0.0-beta.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Found in HEAD commit: 844841c6461639797c0fd77cfbdb2da90d01d28a

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

core-2.0.0-beta.22.tgz (Root Library)
- mdx-loader-2.0.0-beta.22.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 844841c6461639797c0fd77cfbdb2da90d01d28a

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

core-2.0.0-beta.22.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 844841c6461639797c0fd77cfbdb2da90d01d28a

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

@docusaurus/core-2.1.0.tgz: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - @docusaurus/core-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Found in HEAD commit: 372a6fd9b1e29dfc436eede6907692935ee2ac60

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-25858	High	7.5	terser-5.14.0.tgz	Transitive	N/A	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

@docusaurus/core-2.1.0.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 372a6fd9b1e29dfc436eede6907692935ee2ac60

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

@docusaurus/core-2.1.0.tgz (Root Library)
- @docusaurus/mdx-loader-2.1.0.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 372a6fd9b1e29dfc436eede6907692935ee2ac60

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

@docusaurus/core-2.1.0.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 372a6fd9b1e29dfc436eede6907692935ee2ac60

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

core-2.1.0.tgz: 5 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - core-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Found in HEAD commit: 26747832187d17842cc24c9d0b8006d23e454605

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (core version)	Remediation Available
CVE-2022-25858	High	7.5	terser-5.14.0.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A*	❌
CVE-2022-37599	High	7.5	loader-utils-2.0.2.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

core-2.1.0.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 26747832187d17842cc24c9d0b8006d23e454605

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: Jul 15, 2022 8:15:00 PM

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: Jul 15, 2022 8:15:00 PM

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serve-handler/node_modules/minimatch/package.json,/node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

core-2.1.0.tgz (Root Library)
- react-dev-utils-12.0.1.tgz
  - recursive-readdir-2.2.2.tgz
    - ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 26747832187d17842cc24c9d0b8006d23e454605

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: Oct 17, 2022 8:15:00 PM

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: Oct 17, 2022 8:15:00 PM

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

core-2.1.0.tgz (Root Library)
- mdx-loader-2.1.0.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 26747832187d17842cc24c9d0b8006d23e454605

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: Oct 27, 2020 9:15:00 AM

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: Oct 27, 2020 9:15:00 AM

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-37599

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

core-2.1.0.tgz (Root Library)
- file-loader-6.2.0.tgz
  - ❌ loader-utils-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 26747832187d17842cc24c9d0b8006d23e454605

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: Oct 11, 2022 7:15:00 PM

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

core-2.1.0.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 26747832187d17842cc24c9d0b8006d23e454605

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: Jun 18, 2022 9:15:00 PM

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: Jun 18, 2022 9:15:00 PM

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

Autodeploy

Create pipeline to autodeploy

core-2.0.0-rc.1.tgz: 4 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - core-2.0.0-rc.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Found in HEAD commit: 7d971a5b271d6a3605ff7b17ea3af4a30fc3a397

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-25858	High	7.5	terser-5.14.0.tgz	Transitive	N/A	❌
CVE-2021-35065	High	7.5	glob-parent-5.1.2.tgz	Transitive	N/A	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

core-2.0.0-rc.1.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 7d971a5b271d6a3605ff7b17ea3af4a30fc3a397

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

CVE-2021-35065

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

core-2.0.0-rc.1.tgz (Root Library)
- chokidar-3.5.3.tgz
  - ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 7d971a5b271d6a3605ff7b17ea3af4a30fc3a397

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

core-2.0.0-rc.1.tgz (Root Library)
- mdx-loader-2.0.0-rc.1.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 7d971a5b271d6a3605ff7b17ea3af4a30fc3a397

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

core-2.0.0-rc.1.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 7d971a5b271d6a3605ff7b17ea3af4a30fc3a397

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

@docusaurus/core-2.0.1.tgz: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - @docusaurus/core-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Found in HEAD commit: ca34563630e1351d24793fdf48a7ab6addc986e1

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-25858	High	7.5	terser-5.14.0.tgz	Transitive	N/A	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌

Details

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.1.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: ca34563630e1351d24793fdf48a7ab6addc986e1

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.1.tgz (Root Library)
- @docusaurus/mdx-loader-2.0.1.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: ca34563630e1351d24793fdf48a7ab6addc986e1

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

@docusaurus/core-2.0.1.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: ca34563630e1351d24793fdf48a7ab6addc986e1

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

core-2.2.0.tgz: 5 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - core-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Found in HEAD commit: 5ffb15765892a49d30901e37c6d64a495156623c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (core version)	Remediation Available
CVE-2022-25858	High	7.5	terser-5.14.0.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A*	❌
CVE-2022-37599	High	7.5	loader-utils-2.0.2.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A*	❌

Details

Vulnerable Library - terser-5.14.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

core-2.2.0.tgz (Root Library)
- html-minifier-terser-6.1.0.tgz
  - ❌ terser-5.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 5ffb15765892a49d30901e37c6d64a495156623c

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serve-handler/node_modules/minimatch/package.json,/node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

core-2.2.0.tgz (Root Library)
- serve-handler-6.1.3.tgz
  - ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 5ffb15765892a49d30901e37c6d64a495156623c

Found in base branch: master

Vulnerability Details

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

core-2.2.0.tgz (Root Library)
- mdx-loader-2.2.0.tgz
  - mdx-1.6.22.tgz
    - remark-parse-8.0.3.tgz
      - ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 5ffb15765892a49d30901e37c6d64a495156623c

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-37599

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

core-2.2.0.tgz (Root Library)
- file-loader-6.2.0.tgz
  - ❌ loader-utils-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 5ffb15765892a49d30901e37c6d64a495156623c

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

core-2.2.0.tgz (Root Library)
- update-notifier-5.1.0.tgz
  - latest-version-5.1.0.tgz
    - package-json-6.5.0.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 5ffb15765892a49d30901e37c6d64a495156623c

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18