react-scripts-3.4.1.tgz: 28 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - react-scripts-3.4.1.tgz

Path to dependency file: /fixtures/nesting/package.json

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**	Reachability
CVE-2023-26136	Critical	9.8	Not Defined	0.1%	tough-cookie-2.5.0.tgz	Transitive	4.0.0	✅
CVE-2022-37601	Critical	9.8	Not Defined	0.70000005%	loader-utils-1.2.3.tgz	Transitive	4.0.0	✅
CVE-2021-42740	Critical	9.8	Not Defined	0.2%	shell-quote-1.7.2.tgz	Transitive	5.0.0	✅
CVE-2021-3757	Critical	9.8	Not Defined	0.3%	immer-1.10.0.tgz	Transitive	5.0.0	✅
CVE-2021-23436	Critical	9.8	Not Defined	0.4%	immer-1.10.0.tgz	Transitive	5.0.0	✅
CVE-2020-15256	Critical	9.8	Not Defined	0.3%	object-path-0.11.4.tgz	Transitive	3.4.4	✅
CVE-2021-23434	High	8.6	Not Defined	0.3%	object-path-0.11.4.tgz	Transitive	3.4.4	✅
CVE-2020-7660	High	8.1	Not Defined	1.0%	serialize-javascript-2.1.2.tgz	Transitive	3.4.3	✅
CVE-2024-4068	High	7.5	Not Defined	0.0%	braces-2.3.2.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	Not Defined	0.6%	loader-utils-1.2.3.tgz	Transitive	4.0.0	✅
CVE-2022-24772	High	7.5	Not Defined	0.1%	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2022-24771	High	7.5	Not Defined	0.1%	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2021-3805	High	7.5	Not Defined	0.2%	object-path-0.11.4.tgz	Transitive	3.4.4	✅
CVE-2021-3803	High	7.5	Not Defined	0.2%	nth-check-1.0.2.tgz	Transitive	N/A*	❌
CVE-2021-23382	High	7.5	Not Defined	0.2%	postcss-7.0.21.tgz	Transitive	4.0.0	✅
CVE-2020-28477	High	7.5	Not Defined	0.2%	immer-1.10.0.tgz	Transitive	4.0.0	✅
CVE-2020-28469	High	7.5	Not Defined	1.2%	glob-parent-3.1.0.tgz	Transitive	5.0.0	❌
WS-2022-0008	Medium	6.6	Not Defined		node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2023-28155	Medium	6.1	Not Defined	0.1%	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2022-0122	Medium	6.1	Not Defined	0.1%	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2021-24033	Medium	5.6	Not Defined	0.2%	react-dev-utils-10.2.1.tgz	Transitive	4.0.0	✅
CVE-2024-29415	Medium	5.5	Not Defined		ip-1.1.9.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	Not Defined	0.0%	micromatch-3.1.10.tgz	Transitive	5.0.0	✅
CVE-2022-24773	Medium	5.3	Not Defined	0.1%	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2021-23368	Medium	5.3	Not Defined	0.5%	postcss-7.0.21.tgz	Transitive	4.0.0	✅
CVE-2021-23364	Medium	5.3	Not Defined	0.2%	browserslist-4.10.0.tgz	Transitive	5.0.0	✅
CVE-2020-7693	Medium	5.3	Not Defined	0.6%	sockjs-0.3.19.tgz	Transitive	3.4.2	✅
CVE-2020-7608	Medium	5.3	Not Defined	0.0%	yargs-parser-11.1.1.tgz	Transitive	3.4.2	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/tough-cookie/package.json,/fixtures/concurrent/time-slicing/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • jest-environment-jsdom-fourteen-1.0.1.tgz
    • jsdom-14.1.0.tgz
      • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (react-scripts): 4.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-37601

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/react-dev-utils/node_modules/shell-quote/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-3757

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-23436

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-15256

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (react-scripts): 3.4.4

In order to enable automatic remediation, please create workflow rules

CVE-2021-23434

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.

Publish Date: 2021-08-27

URL: CVE-2021-23434

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434

Release Date: 2021-08-27

Fix Resolution (object-path): 0.11.6

Direct dependency fix Resolution (react-scripts): 3.4.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-7660

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • terser-webpack-plugin-2.3.5.tgz
    • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.0%

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (react-scripts): 3.4.3

In order to enable automatic remediation, please create workflow rules

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/fast-glob/node_modules/braces/package.json,/fixtures/nesting/node_modules/jest-config/node_modules/braces/package.json,/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/jest-haste-map/node_modules/braces/package.json,/node_modules/readdirp/node_modules/braces/package.json,/fixtures/concurrent/time-slicing/node_modules/braces/package.json,/fixtures/nesting/node_modules/readdirp/node_modules/braces/package.json,/fixtures/nesting/node_modules/http-proxy-middleware/node_modules/braces/package.json,/fixtures/nesting/node_modules/webpack/node_modules/braces/package.json,/fixtures/nesting/node_modules/@jest/transform/node_modules/braces/package.json,/fixtures/nesting/node_modules/webpack-dev-server/node_modules/braces/package.json,/fixtures/nesting/node_modules/sane/node_modules/braces/package.json,/node_modules/chokidar/node_modules/braces/package.json,/fixtures/nesting/node_modules/watchpack-chokidar2/node_modules/braces/package.json,/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/micromatch/node_modules/braces/package.json,/fixtures/nesting/node_modules/@jest/core/node_modules/braces/package.json,/fixtures/nesting/node_modules/jest-message-util/node_modules/braces/package.json,/fixtures/fizz/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • jest-environment-jsdom-fourteen-1.0.1.tgz
    • fake-timers-24.9.0.tgz
      • jest-message-util-24.9.0.tgz
        • micromatch-3.1.10.tgz
          • ❌ braces-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: braces - 3.0.3

CVE-2022-37603

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (react-scripts): 4.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /fixtures/concurrent/time-slicing/package.json

Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /fixtures/concurrent/time-slicing/package.json

Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-3805

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-17

URL: CVE-2021-3805

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/

Release Date: 2021-09-17

Fix Resolution (object-path): 0.11.8

Direct dependency fix Resolution (react-scripts): 3.4.4

In order to enable automatic remediation, please create workflow rules

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.3.3.tgz
    • plugin-svgo-4.3.1.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2021-23382

Vulnerable Library - postcss-7.0.21.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/resolve-url-loader/node_modules/postcss/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • ❌ postcss-7.0.21.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 4.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-28477

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /fixtures/nesting/package.json

Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (immer): 8.0.1

Direct dependency fix Resolution (react-scripts): 4.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • chokidar-2.1.8.tgz
      • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /fixtures/concurrent/time-slicing/package.json

Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /fixtures/concurrent/time-slicing/package.json

Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/request/package.json,/fixtures/nesting/node_modules/request/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • jest-environment-jsdom-fourteen-1.0.1.tgz
    • jsdom-14.1.0.tgz
      • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /fixtures/concurrent/time-slicing/package.json

Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules