Version Details and Security Vulnerabilities

📦

karma

0.12.35

Comparision Betweeen 0.12.35 and 0.12.34

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.12.35 Details

Karma version 0.12.35 represents a minor update over its predecessor, 0.12.34, within the popular JavaScript test runner's ecosystem. Examining their respective package metadata reveals subtle distinctions. Both share identical core dependencies, including essential libraries like q for promises, di for dependency injection, glob for file matching, and other utilities for logging, file system manipulation, and network connections. Crucially, the development dependencies, which are instrumental during the development and testing phases of Karma itself, also remain unchanged between the two versions. This suggests that the core functionality and supported testing frameworks like Mocha, Jasmine, and QUnit, stay consistent.

The update from 0.12.34 to 0.12.35 might incorporate bug fixes, performance improvements, or minor enhancements that don't necessitate alterations to the dependency tree. While the specific nature of these potential changes isn't explicitly detailed in the provided data, developers should consult the official Karma changelog or release notes for a comprehensive understanding. Users deeply embedded in the Karma ecosystem, particularly those relying on specific plugins or configurations, are always encouraged to review these notes before upgrading. Notably, both leverage a comprehensive suite of Grunt tasks for build automation and testing, mirroring the project's commitment to tooling and developer experience. The updated releaseDate further confirms that this version is more recent.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

karma

0.12.35

Comparision Betweeen 0.12.35 and 0.12.34

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.12.35 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.12.35 of the package karma.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.12.35 of the package

Summary:

Cross-site Scripting in karma

Details:

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Details about karma@0.12.35

Summary:

Open redirect in karma

Details:

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Details about karma@0.12.35

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@3.10.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash@3.10.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Details about lodash@3.10.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@3.10.1

Summary:

Incorrect Default Permissions in log4js

Details:

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at gareth.nomiddlename@gmail.com

Details about log4js@0.6.38

Summary:

semver vulnerable to Regular Expression Denial of Service

Details:

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Details about semver@4.3.6

Summary:

basic-auth-connect's callback uses time unsafe string comparison

Details:

Impact

basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information

Patches

this issue has been fixed in basic-auth-connect 1.1.0

References

Details about basic-auth-connect@1.0.0

Summary:

body-parser vulnerable to denial of service when url encoding is enabled

Details:

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Details about body-parser@1.13.3

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.1.3

Summary:

Regular Expression Denial of Service in negotiator

Details:

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

Recommendation

Update to version 0.6.1 or later.

Details about negotiator@0.5.3

Summary:

Vercel ms Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Details about ms@0.7.1

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.

Details about debug@2.2.0

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@2.2.0

Summary:

Out-of-bounds Read in base64-url

Details:

Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.

Recommendation

Update to version 2.0.0 or later.

Details about base64-url@1.2.1

Summary:

Regular Expression Denial of Service in fresh

Details:

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

Details about fresh@0.3.0

Summary:

Code Injection in morgan

Details:

Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.

Recommendation

Update to version 1.9.1 or later.

Details about morgan@1.6.1

Summary:

on-headers is vulnerable to http response header manipulation

Details:

Impact

A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()

Patches

Users should upgrade to 1.1.0

Workarounds

Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

Details about on-headers@1.0.2

Summary:

Prototype Pollution Protection Bypass in qs

Details:

Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.

Recommendation

Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.

Details about qs@4.0.0

Summary:

qs vulnerable to Prototype Pollution

Details:

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Details about qs@4.0.0

Summary:

serve-static vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about serve-static@1.10.3

Summary:

send vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about send@0.13.2

Summary:

Regular Expression Denial of Service (ReDoS) in micromatch

Details:

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Details about micromatch@2.3.11

Summary:

Regular Expression Denial of Service (ReDoS) in braces

Details:

A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Details about braces@1.8.5

Summary:

Regular Expression Denial of Service in braces

Details:

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 2.3.1 or higher.

Details about braces@1.8.5

Summary:

Uncontrolled resource consumption in braces

Details:

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Details about braces@1.8.5

Summary:

Prototype Pollution in minimist

Details:

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

Details about minimist@0.0.10

Summary:

Prototype Pollution in minimist

Details:

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Details about minimist@0.0.10

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@2.0.10

Summary:

minimatch ReDoS vulnerability

Details:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Details about minimatch@2.0.10

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.9.16

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.9.16

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.32

Summary:

DoS due to excessively large websocket message in ws

Details:

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.32

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.32

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Details about uglify-js@1.2.5

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@1.2.5

Summary:

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Details:

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Details about xmlhttprequest@1.4.2

Summary:

useragent Regular Expression Denial of Service vulnerability

Details:

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

PoC

async function exploit() {
   const useragent = require(\"useragent\");

   // Create a malicious user-agent that leads to excessive backtracking
   const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';

   // Parse the malicious user-agent
   const agent = useragent.parse(maliciousUserAgent);

   // Call the toString method to trigger the vulnerability
   const result = await agent.device.toString();
   console.log(result);
}

await exploit();

Details about useragent@2.3.0

Summary:

tmp allows arbitrary temporary file / directory write via symbolic link dir parameter

Details:

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible. Tested on a Linux machine.

Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

main.js

// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

Details about tmp@0.0.33

Summary:

Denial of Service in http-proxy

Details:

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Details about http-proxy@0.10.4

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.12.35 of the package karma.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.12.35 of the package

Summary:

Cross-site Scripting in karma

Details:

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Details about karma@0.12.35

Summary:

Open redirect in karma

Details:

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Details about karma@0.12.35

Summary:

Prototype Pollution in lodash

Details:

Recommendation

Update to version 4.17.12 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@3.10.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash@3.10.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Details about lodash@3.10.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@3.10.1

Summary:

Incorrect Default Permissions in log4js

Details:

Impact

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at gareth.nomiddlename@gmail.com

Details about log4js@0.6.38

Summary:

semver vulnerable to Regular Expression Denial of Service

Details:

Details about semver@4.3.6

Summary:

basic-auth-connect's callback uses time unsafe string comparison

Details:

Impact

basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information

Patches

this issue has been fixed in basic-auth-connect 1.1.0

References

Details about basic-auth-connect@1.0.0

Summary:

body-parser vulnerable to denial of service when url encoding is enabled

Details:

Impact

Patches

this issue is patched in 1.20.3

References

Details about body-parser@1.13.3

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.1.3

Summary:

Regular Expression Denial of Service in negotiator

Details:

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

Recommendation

Update to version 0.6.1 or later.

Details about negotiator@0.5.3

Summary:

Vercel ms Inefficient Regular Expression Complexity vulnerability

Details:

Details about ms@0.7.1

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

Details about debug@2.2.0

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@2.2.0

Summary:

Out-of-bounds Read in base64-url

Details:

Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.

Recommendation

Update to version 2.0.0 or later.

Details about base64-url@1.2.1

Summary:

Regular Expression Denial of Service in fresh

Details:

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

Details about fresh@0.3.0

Summary:

Code Injection in morgan

Details:

Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.

Recommendation

Update to version 1.9.1 or later.

Details about morgan@1.6.1

Summary:

on-headers is vulnerable to http response header manipulation

Details:

Impact

A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()

Patches

Users should upgrade to 1.1.0

Workarounds

Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

Details about on-headers@1.0.2

Summary:

Prototype Pollution Protection Bypass in qs

Details:

Recommendation

Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.

Details about qs@4.0.0

Summary:

qs vulnerable to Prototype Pollution

Details:

Details about qs@4.0.0

Summary:

serve-static vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about serve-static@1.10.3

Summary:

send vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about send@0.13.2

Summary:

Regular Expression Denial of Service (ReDoS) in micromatch

Details:

Details about micromatch@2.3.11

Summary:

Regular Expression Denial of Service (ReDoS) in braces

Details:

A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Details about braces@1.8.5

Summary:

Regular Expression Denial of Service in braces

Details:

Recommendation

Upgrade to version 2.3.1 or higher.

Details about braces@1.8.5

Summary:

Uncontrolled resource consumption in braces

Details:

Details about braces@1.8.5

Summary:

Prototype Pollution in minimist

Details:

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

Details about minimist@0.0.10

Summary:

Prototype Pollution in minimist

Details:

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Details about minimist@0.0.10

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@2.0.10

Summary:

minimatch ReDoS vulnerability

Details:

Details about minimatch@2.0.10

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.9.16

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.9.16

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.32

Summary:

DoS due to excessively large websocket message in ws

Details:

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.32

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.32

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Details about uglify-js@1.2.5

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@1.2.5

Summary:

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Details:

Details about xmlhttprequest@1.4.2

Summary:

useragent Regular Expression Denial of Service vulnerability

Details:

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

PoC

async function exploit() {
   const useragent = require(\"useragent\");

   // Create a malicious user-agent that leads to excessive backtracking
   const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';

   // Parse the malicious user-agent
   const agent = useragent.parse(maliciousUserAgent);

   // Call the toString method to trigger the vulnerability
   const result = await agent.device.toString();
   console.log(result);
}

await exploit();

Details about useragent@2.3.0

Summary:

tmp allows arbitrary temporary file / directory write via symbolic link dir parameter

Details:

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible. Tested on a Linux machine.

Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

main.js

// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

Details about tmp@0.0.33

Summary:

Denial of Service in http-proxy

Details:

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Details about http-proxy@0.10.4

Version Details and Security Vulnerabilities

karma

Comparision Betweeen 0.12.35 and 0.12.34

Version 0.12.35 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

karma

Comparision Betweeen 0.12.35 and 0.12.34

Version 0.12.35 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

karma@0.12.35 GHSA-7x7c-qm48-pq9c 6.1

karma@0.12.35 GHSA-rc3x-jf5g-xvc5 5.4

lodash@3.10.1 GHSA-jf85-cpcp-j695 9.1

Recommendation

lodash@3.10.1 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@3.10.1 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@3.10.1 GHSA-x5rq-j2xg-h7qm N/A

lodash@3.10.1 GHSA-p6mc-m468-83gw 7.4

lodash@3.10.1 GHSA-29mw-wpgm-hmr9 5.3

lodash@3.10.1 GHSA-35jh-r3h4-6jhm 7.2

log4js@0.6.38 GHSA-82v2-mx6x-wq7q 5.5

Impact

Patches

Workarounds

References

For more information

semver@4.3.6 GHSA-c2qf-rxjj-qqgw 7.5

basic-auth-connect@1.0.0 GHSA-7p89-p6hx-q4fw 8.7

Impact

Patches

References

body-parser@1.13.3 GHSA-qwcr-r2fm-qrc7 8.7

Impact

Patches

References

cookie@0.1.3 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

negotiator@0.5.3 GHSA-7mc5-chhp-fmc3 N/A

Recommendation

ms@0.7.1 GHSA-w9mr-4mfr-499f 5.3

debug@2.2.0 GHSA-9vvw-cc9w-f27h 7.5

debug@2.2.0 GHSA-gxpj-cx7g-858c 3.7

Recommendation

base64-url@1.2.1 GHSA-j4mr-9xw3-c9jx N/A

Recommendation

fresh@0.3.0 GHSA-9qj9-36jm-prpv 7.5

Recommendation

morgan@1.6.1 GHSA-gwg9-rgvj-4h5j 9.8

Recommendation

on-headers@1.0.2 GHSA-76c9-3jph-rj3q 3.4

Impact

Patches

Workarounds

qs@4.0.0 GHSA-gqgv-6jq5-jjj9 7.5

Recommendation

qs@4.0.0 GHSA-hrpp-h998-j3pp 7.5

serve-static@1.10.3 GHSA-cm22-4g7w-348p 2.3

Impact

Patches

Workarounds

Details

send@0.13.2 GHSA-m6fv-jmcg-4jfg 2.3

Impact

Patches

Workarounds

Details

micromatch@2.3.11 GHSA-952p-6rrq-rcjv 5.3

braces@1.8.5 GHSA-cwfw-4gq5-mrqx N/A

braces@1.8.5 GHSA-g95f-p29q-9xw4 3.7

Recommendation