Version Details and Security Vulnerabilities

📦

xutil

1.0.11

Comparision Betweeen 1.0.11 and 1.0.10

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

4.69 KB

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

xutil

1.0.11

Comparision Betweeen 1.0.11 and 1.0.10

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

4.69 KB

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.0.11 of the package xutil.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.0.11 of the package

Summary:

Regular Expression Denial of Service in moment

Details:

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

Details about moment@2.18.1

Summary:

Path Traversal: 'dir/../../filename' in moment.locale

Details:

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in moment repo

Details about moment@2.18.1

Summary:

Moment.js vulnerable to Inefficient Regular Expression Complexity

Details:

Impact

using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
noticeable slowdown is observed with inputs above 10k characters
users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks

Patches

The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.

Workarounds

In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.

References

There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=

Details

The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.

Details about moment@2.18.1

Summary:

Improper Privilege Management in shelljs

Details:

shelljs is vulnerable to Improper Privilege Management

Details about shelljs@0.7.8

Summary:

Improper Privilege Management in shelljs

Details:

Impact

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

Ask at https://github.com/shelljs/shelljs/issues/1058
Open an issue at https://github.com/shelljs/shelljs/issues/new

Details about shelljs@0.7.8

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.0.11 of the package xutil.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.0.11 of the package

Summary:

Regular Expression Denial of Service in moment

Details:

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

Details about moment@2.18.1

Summary:

Path Traversal: 'dir/../../filename' in moment.locale

Details:

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in moment repo

Details about moment@2.18.1

Summary:

Moment.js vulnerable to Inefficient Regular Expression Complexity

Details:

Impact

using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
noticeable slowdown is observed with inputs above 10k characters
users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks

Patches

The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.

Workarounds

References

There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=

Details

Details about moment@2.18.1

Summary:

Improper Privilege Management in shelljs

Details:

shelljs is vulnerable to Improper Privilege Management

Details about shelljs@0.7.8

Summary:

Improper Privilege Management in shelljs

Details:

Impact

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

Ask at https://github.com/shelljs/shelljs/issues/1058
Open an issue at https://github.com/shelljs/shelljs/issues/new

Details about shelljs@0.7.8

Version Details and Security Vulnerabilities

xutil

Comparision Betweeen 1.0.11 and 1.0.10

Security Vulnerabilities

Version Details and Security Vulnerabilities

xutil

Comparision Betweeen 1.0.11 and 1.0.10

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

moment@2.18.1 GHSA-446m-mv8f-q348 7.5

Recommendation

moment@2.18.1 GHSA-8hfj-j24r-96c4 7.5

Impact

Patches

Workarounds

References

For more information

moment@2.18.1 GHSA-wc69-rhjr-hc9g 7.5

Impact

Patches

Workarounds

References

Details

shelljs@0.7.8 GHSA-4rq4-32rv-6wp6 7.1

shelljs@0.7.8 GHSA-64g7-mvw6-v9qj N/A

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

moment@2.18.1 GHSA-446m-mv8f-q348 7.5

Recommendation

moment@2.18.1 GHSA-8hfj-j24r-96c4 7.5

Impact

Patches

Workarounds

References

For more information

moment@2.18.1 GHSA-wc69-rhjr-hc9g 7.5

Impact

Patches

Workarounds

References

Details

shelljs@0.7.8 GHSA-4rq4-32rv-6wp6 7.1

shelljs@0.7.8 GHSA-64g7-mvw6-v9qj N/A

Impact

Patches

Workarounds

References

For more information