Version Details and Security Vulnerabilities

📦

send

0.12.3

Comparision Betweeen 0.12.3 and 0.12.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.12.3 Details

Send is a Node.js module designed for efficient and feature-rich static file serving. Comparing versions 0.12.3 and 0.12.2, developers will notice incremental updates focused on dependency management and refinement. Version 0.12.3 brings updates to its dependencies, notably ms from 0.7.0 to 0.7.1, depd from ~1.0.0 to ~1.0.1, etag from ~1.5.1 to ~1.6.0 and debug from ~2.1.3 to ~2.2.0, and on-finished from ~2.2.0 to~2.2.1; these likely incorporate bug fixes and performance improvements within those modules. While mime, fresh, destroy, escape-html, and range-parser remain consistent, staying up-to-date ensures compatibility and security benefits from the updated dependencies. The development dependency versions are also different, with mocha updated from ~2.2.1 to 2.2.4 and istanbul updated from 0.3.7 to 0.3.9 in the newer release.

Send provides essential functionalities, for serving static content with features like Range requests, conditional-GET support, and streaming capabilities. The MIT license promotes flexibility for various projects. Updates to dependencies like 'etag', 'on-finished' and 'debug' suggest improvements in areas such as caching, request handling, and debugging capabilities as well. Developers should evaluate whether the updated dependencies resolve any existing issues or offer performance gains relevant to their specific use case. This package is a solid choice for developers needing a reliable and performant static file server.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

send

0.12.3

Comparision Betweeen 0.12.3 and 0.12.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.12.3 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.12.3 of the package send.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.12.3 of the package

Summary:

send vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about send@0.12.3

Summary:

Vercel ms Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Details about ms@0.7.1

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.3.4

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.

Details about debug@2.2.0

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@2.2.0

Summary:

Regular Expression Denial of Service in fresh

Details:

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

Details about fresh@0.2.4

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.12.3 of the package send.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.12.3 of the package

Summary:

send vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about send@0.12.3

Summary:

Vercel ms Inefficient Regular Expression Complexity vulnerability

Details:

Details about ms@0.7.1

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.3.4

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

Details about debug@2.2.0

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@2.2.0

Summary:

Regular Expression Denial of Service in fresh

Details:

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

Details about fresh@0.2.4

Version Details and Security Vulnerabilities

send

Comparision Betweeen 0.12.3 and 0.12.2

Version 0.12.3 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

send

Comparision Betweeen 0.12.3 and 0.12.2

Version 0.12.3 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

Details

Recommendation

Recommendation

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

Details

Recommendation

Recommendation

Recommendation

Version Details and Security Vulnerabilities

send

Comparision Betweeen 0.12.3 and 0.12.2

Version 0.12.3 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

send

Comparision Betweeen 0.12.3 and 0.12.2

Version 0.12.3 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

send@0.12.3 GHSA-m6fv-jmcg-4jfg 2.3

Impact

Patches

Workarounds

Details

ms@0.7.1 GHSA-w9mr-4mfr-499f 5.3

mime@1.3.4 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

debug@2.2.0 GHSA-9vvw-cc9w-f27h 7.5

debug@2.2.0 GHSA-gxpj-cx7g-858c 3.7

Recommendation

fresh@0.2.4 GHSA-9qj9-36jm-prpv 7.5

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

send@0.12.3 GHSA-m6fv-jmcg-4jfg 2.3

Impact

Patches

Workarounds

Details

ms@0.7.1 GHSA-w9mr-4mfr-499f 5.3

mime@1.3.4 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

debug@2.2.0 GHSA-9vvw-cc9w-f27h 7.5

debug@2.2.0 GHSA-gxpj-cx7g-858c 3.7

Recommendation

fresh@0.2.4 GHSA-9qj9-36jm-prpv 7.5

Recommendation