Skip to content

web3-1.10.4.tgz: 27 vulnerabilities (highest severity is: 9.8) #41

Description

@mend-bolt-for-github
Vulnerable Library - web3-1.10.4.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (web3 version) Remediation Possible**
CVE-2026-41907 Critical 9.8 detected in multiple dependencies Transitive N/A*
CVE-2025-6545 Critical 9.3 pbkdf2-3.1.2.tgz Transitive 4.0.1
CVE-2026-23950 High 8.8 tar-4.4.19.tgz Transitive 4.0.1
CVE-2025-9288 High 8.7 sha.js-2.4.11.tgz Transitive 4.0.1
CVE-2025-7783 High 8.7 form-data-2.3.3.tgz Transitive 4.0.1
CVE-2026-24842 High 8.2 tar-4.4.19.tgz Transitive 4.0.1
CVE-2026-48779 High 7.5 ws-3.3.3.tgz Transitive N/A*
CVE-2026-45822 High 7.5 decode-uri-component-0.2.2.tgz Transitive 4.0.1
CVE-2026-12143 High 7.5 form-data-2.3.3.tgz Transitive 4.0.1
CVE-2025-57330 High 7.5 web3-core-subscriptions-1.10.4.tgz Transitive N/A*
CVE-2024-37890 High 7.5 ws-3.3.3.tgz Transitive 4.0.1
CVE-2024-21505 High 7.5 web3-utils-1.10.4.tgz Transitive N/A*
CVE-2026-31802 High 7.1 tar-4.4.19.tgz Transitive N/A*
CVE-2026-29786 High 7.1 tar-4.4.19.tgz Transitive N/A*
CVE-2026-26960 High 7.1 tar-4.4.19.tgz Transitive 4.0.1
CVE-2026-23745 High 7.1 tar-4.4.19.tgz Transitive N/A*
CVE-2025-6547 Medium 6.8 pbkdf2-3.1.2.tgz Transitive 4.0.1
CVE-2024-28863 Medium 6.5 tar-4.4.19.tgz Transitive N/A*
CVE-2023-26136 Medium 6.5 tough-cookie-2.5.0.tgz Transitive 4.0.1
CVE-2026-53655 Medium 6.2 tar-4.4.19.tgz Transitive N/A*
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*
CVE-2025-14505 Medium 5.6 elliptic-6.6.1.tgz Transitive N/A*
CVE-2026-2739 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2025-57352 Medium 5.3 min-document-2.19.0.tgz Transitive N/A*
CVE-2026-2391 Low 3.7 qs-6.5.3.tgz Transitive 4.0.1
CVE-2025-15284 Low 3.7 qs-6.5.3.tgz Transitive 4.0.1
CVE-2025-69873 Low 2.9 ajv-6.12.6.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2026-41907

Vulnerable Libraries - uuid-9.0.1.tgz, uuid-3.4.0.tgz

uuid-9.0.1.tgz

Library home page: https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz

Path to dependency file: /api-gateway/package.json

Path to vulnerable library: /api-gateway/node_modules/uuid/package.json,/token-incentive-system/node_modules/web3-eth-accounts/node_modules/uuid/package.json,/ar-vr-experience/node_modules/web3-eth-accounts/node_modules/uuid/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • uuid-9.0.1.tgz (Vulnerable Library)

uuid-3.4.0.tgz

RFC4122 (v1, v4, and v5) UUIDs

Library home page: https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/webpack-log/node_modules/uuid/package.json,/ar-vr-experience/node_modules/request/node_modules/uuid/package.json,/token-incentive-system/node_modules/request/node_modules/uuid/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • uuid-3.4.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

Publish Date: 2026-04-24

URL: CVE-2026-41907

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w5hq-g745-h8pq

Release Date: 2026-04-24

Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • ethereum-cryptography-0.1.3.tgz
              • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-23950

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Publish Date: 2026-01-20

URL: CVE-2026-23950

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6q2-hw4h-h46w

Release Date: 2026-01-20

Fix Resolution (tar): 7.5.4

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/sha.js/package.json,/api-gateway/node_modules/sha.js/package.json,/ar-vr-experience/node_modules/sha.js/package.json,/on_chain_payment_solution/dapp/node_modules/sha.js/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • create-hash-1.2.0.tgz
              • sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution (sha.js): 2.4.12

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-7783

Vulnerable Library - form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • form-data-2.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution (form-data): 2.5.4

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-24842

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Publish Date: 2026-01-28

URL: CVE-2026-24842

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-28

Fix Resolution (tar): 7.5.7

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-48779

Vulnerable Library - ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • ws-3.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Publish Date: 2026-06-16

URL: CVE-2026-48779

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-16

Fix Resolution: https://github.com/websockets/ws.git - 7.5.11,https://github.com/websockets/ws.git - 8.21.0,https://github.com/websockets/ws.git - 6.2.4,https://github.com/websockets/ws.git - 5.2.5

Step up your Open Source Security Game with Mend here

CVE-2026-45822

Vulnerable Library - decode-uri-component-0.2.2.tgz

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/decode-uri-component/package.json,/ar-vr-experience/node_modules/decode-uri-component/package.json,/on_chain_payment_solution/dapp/node_modules/decode-uri-component/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • xhr-request-1.1.0.tgz
          • query-string-5.1.1.tgz
            • decode-uri-component-0.2.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.

Publish Date: 2026-06-30

URL: CVE-2026-45822

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-30

Fix Resolution (decode-uri-component): 0.5.0

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-12143

Vulnerable Library - form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • form-data-2.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the "field" argument to "FormData#append" and the "filename" option are concatenated verbatim into the "Content-Disposition" header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set "is_admin=true") seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and """ as "%0D", "%0A", and "%22" in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Publish Date: 2026-06-12

URL: CVE-2026-12143

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjwh-7mfq-fhwh

Release Date: 2026-06-12

Fix Resolution (form-data): 2.5.6

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-57330

Vulnerable Library - web3-core-subscriptions-1.10.4.tgz

Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.4.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/web3-core-subscriptions/package.json,/token-incentive-system/node_modules/web3-core-subscriptions/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-shh-1.10.4.tgz
      • web3-core-subscriptions-1.10.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Publish Date: 2025-09-24

URL: CVE-2025-57330

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • ws-3.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Library - web3-utils-1.10.4.tgz

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.4.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/web3-utils/package.json,/token-incentive-system/node_modules/web3-utils/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-utils-1.10.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2g4c-8fpm-c46v

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2026-31802

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

Publish Date: 2026-03-09

URL: CVE-2026-31802

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-09

Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11

Step up your Open Source Security Game with Mend here

CVE-2026-29786

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

Publish Date: 2026-03-07

URL: CVE-2026-29786

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-07

Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10

Step up your Open Source Security Game with Mend here

CVE-2026-26960

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

Publish Date: 2026-02-20

URL: CVE-2026-26960

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-18

Fix Resolution (tar): 7.5.8

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-23745

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Publish Date: 2026-01-16

URL: CVE-2026-23745

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-16

Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3

Step up your Open Source Security Game with Mend here

CVE-2025-6547

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • ethereum-cryptography-0.1.3.tgz
              • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Publish Date: 2025-06-23

URL: CVE-2025-6547

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v62p-rq8g-8h59

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-28863

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/tough-cookie/package.json,/token-incentive-system/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-53655

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.

Publish Date: 2026-06-22

URL: CVE-2026-53655

CVSS 3 Score Details (6.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vmf3-w455-68vh

Release Date: 2026-06-15

Fix Resolution: tar - 7.5.16

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/package.json,/token-incentive-system/node_modules/request/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @⁠cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions