Vulnerable Library - web3-1.10.4.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-41907
Vulnerable Libraries - uuid-9.0.1.tgz, uuid-3.4.0.tgz
uuid-9.0.1.tgz
Library home page: https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz
Path to dependency file: /api-gateway/package.json
Path to vulnerable library: /api-gateway/node_modules/uuid/package.json,/token-incentive-system/node_modules/web3-eth-accounts/node_modules/uuid/package.json,/ar-vr-experience/node_modules/web3-eth-accounts/node_modules/uuid/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- ❌ uuid-9.0.1.tgz (Vulnerable Library)
uuid-3.4.0.tgz
RFC4122 (v1, v4, and v5) UUIDs
Library home page: https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz
Path to dependency file: /on_chain_payment_solution/dapp/package.json
Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/webpack-log/node_modules/uuid/package.json,/ar-vr-experience/node_modules/request/node_modules/uuid/package.json,/token-incentive-system/node_modules/request/node_modules/uuid/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ uuid-3.4.0.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Publish Date: 2026-04-24
URL: CVE-2026-41907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-w5hq-g745-h8pq
Release Date: 2026-04-24
Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-6545
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- common-2.6.5.tgz
- ethereumjs-util-7.1.5.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-23
URL: CVE-2025-6545
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h7cp-r72f-jxh6
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-23950
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution (tar): 7.5.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-9288
Vulnerable Library - sha.js-2.4.11.tgz
Streamable SHA hashes in pure javascript
Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/sha.js/package.json,/api-gateway/node_modules/sha.js/package.json,/ar-vr-experience/node_modules/sha.js/package.json,/on_chain_payment_solution/dapp/node_modules/sha.js/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- common-2.6.5.tgz
- ethereumjs-util-7.1.5.tgz
- create-hash-1.2.0.tgz
- ❌ sha.js-2.4.11.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.
Publish Date: 2025-08-20
URL: CVE-2025-9288
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-20
Fix Resolution (sha.js): 2.4.12
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution (form-data): 2.5.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-24842
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution (tar): 7.5.7
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-48779
Vulnerable Library - ws-3.3.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- ❌ ws-3.3.3.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Publish Date: 2026-06-16
URL: CVE-2026-48779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: https://github.com/websockets/ws.git - 7.5.11,https://github.com/websockets/ws.git - 8.21.0,https://github.com/websockets/ws.git - 6.2.4,https://github.com/websockets/ws.git - 5.2.5
Step up your Open Source Security Game with Mend here
CVE-2026-45822
Vulnerable Library - decode-uri-component-0.2.2.tgz
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/decode-uri-component/package.json,/ar-vr-experience/node_modules/decode-uri-component/package.json,/on_chain_payment_solution/dapp/node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- xhr-request-1.1.0.tgz
- query-string-5.1.1.tgz
- ❌ decode-uri-component-0.2.2.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
Publish Date: 2026-06-30
URL: CVE-2026-45822
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-30
Fix Resolution (decode-uri-component): 0.5.0
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-12143
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the "field" argument to "FormData#append" and the "filename" option are concatenated verbatim into the "Content-Disposition" header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set "is_admin=true") seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and """ as "%0D", "%0A", and "%22" in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Publish Date: 2026-06-12
URL: CVE-2026-12143
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjwh-7mfq-fhwh
Release Date: 2026-06-12
Fix Resolution (form-data): 2.5.6
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-57330
Vulnerable Library - web3-core-subscriptions-1.10.4.tgz
Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.4.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/web3-core-subscriptions/package.json,/token-incentive-system/node_modules/web3-core-subscriptions/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-shh-1.10.4.tgz
- ❌ web3-core-subscriptions-1.10.4.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
Publish Date: 2025-09-24
URL: CVE-2025-57330
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2024-37890
Vulnerable Library - ws-3.3.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- ❌ ws-3.3.3.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 5.2.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-21505
Vulnerable Library - web3-utils-1.10.4.tgz
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.4.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/web3-utils/package.json,/token-incentive-system/node_modules/web3-utils/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- ❌ web3-utils-1.10.4.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4c-8fpm-c46v
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
Step up your Open Source Security Game with Mend here
CVE-2026-31802
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Step up your Open Source Security Game with Mend here
CVE-2026-29786
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Step up your Open Source Security Game with Mend here
CVE-2026-26960
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution (tar): 7.5.8
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-23745
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
CVE-2025-6547
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- common-2.6.5.tgz
- ethereumjs-util-7.1.5.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
Publish Date: 2025-06-23
URL: CVE-2025-6547
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v62p-rq8g-8h59
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-28863
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-26136
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/tough-cookie/package.json,/token-incentive-system/node_modules/tough-cookie/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-53655
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Publish Date: 2026-06-22
URL: CVE-2026-53655
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vmf3-w455-68vh
Release Date: 2026-06-15
Fix Resolution: tar - 7.5.16
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/package.json,/token-incentive-system/node_modules/request/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- ❌ request-2.88.2.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Libraries - uuid-9.0.1.tgz, uuid-3.4.0.tgz
uuid-9.0.1.tgz
Library home page: https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz
Path to dependency file: /api-gateway/package.json
Path to vulnerable library: /api-gateway/node_modules/uuid/package.json,/token-incentive-system/node_modules/web3-eth-accounts/node_modules/uuid/package.json,/ar-vr-experience/node_modules/web3-eth-accounts/node_modules/uuid/package.json
Dependency Hierarchy:
uuid-3.4.0.tgz
RFC4122 (v1, v4, and v5) UUIDs
Library home page: https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz
Path to dependency file: /on_chain_payment_solution/dapp/package.json
Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/webpack-log/node_modules/uuid/package.json,/ar-vr-experience/node_modules/request/node_modules/uuid/package.json,/token-incentive-system/node_modules/request/node_modules/uuid/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Publish Date: 2026-04-24
URL: CVE-2026-41907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-w5hq-g745-h8pq
Release Date: 2026-04-24
Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-23
URL: CVE-2025-6545
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h7cp-r72f-jxh6
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution (tar): 7.5.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - sha.js-2.4.11.tgz
Streamable SHA hashes in pure javascript
Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/sha.js/package.json,/api-gateway/node_modules/sha.js/package.json,/ar-vr-experience/node_modules/sha.js/package.json,/on_chain_payment_solution/dapp/node_modules/sha.js/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.
Publish Date: 2025-08-20
URL: CVE-2025-9288
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-08-20
Fix Resolution (sha.js): 2.4.12
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution (form-data): 2.5.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution (tar): 7.5.7
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-3.3.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Publish Date: 2026-06-16
URL: CVE-2026-48779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: https://github.com/websockets/ws.git - 7.5.11,https://github.com/websockets/ws.git - 8.21.0,https://github.com/websockets/ws.git - 6.2.4,https://github.com/websockets/ws.git - 5.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - decode-uri-component-0.2.2.tgz
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/decode-uri-component/package.json,/ar-vr-experience/node_modules/decode-uri-component/package.json,/on_chain_payment_solution/dapp/node_modules/decode-uri-component/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
Publish Date: 2026-06-30
URL: CVE-2026-45822
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-30
Fix Resolution (decode-uri-component): 0.5.0
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the "field" argument to "FormData#append" and the "filename" option are concatenated verbatim into the "Content-Disposition" header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set "is_admin=true") seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and """ as "%0D", "%0A", and "%22" in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Publish Date: 2026-06-12
URL: CVE-2026-12143
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjwh-7mfq-fhwh
Release Date: 2026-06-12
Fix Resolution (form-data): 2.5.6
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - web3-core-subscriptions-1.10.4.tgz
Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.4.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/web3-core-subscriptions/package.json,/token-incentive-system/node_modules/web3-core-subscriptions/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
Publish Date: 2025-09-24
URL: CVE-2025-57330
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-3.3.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /token-incentive-system/package.json
Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 5.2.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - web3-utils-1.10.4.tgz
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.4.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/web3-utils/package.json,/token-incentive-system/node_modules/web3-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4c-8fpm-c46v
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution (tar): 7.5.8
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
Publish Date: 2025-06-23
URL: CVE-2025-6547
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v62p-rq8g-8h59
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/tough-cookie/package.json,/token-incentive-system/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Publish Date: 2026-06-22
URL: CVE-2026-53655
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vmf3-w455-68vh
Release Date: 2026-06-15
Fix Resolution: tar - 7.5.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/request/package.json,/token-incentive-system/node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here