Vulnerable Library - wrangler-2.20.1.tgz
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.20.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/wrangler/package.json,/src/main/workers/api/node_modules/wrangler/package.json
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-0933
Vulnerable Library - wrangler-2.20.1.tgz
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.20.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/wrangler/package.json,/src/main/workers/api/node_modules/wrangler/package.json
Dependency Hierarchy:
- ❌ wrangler-2.20.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
SummaryA command injection vulnerability (CWE-78) has been found to exist in the "wrangler pages deploy" command. The issue occurs because the "--commit-hash" parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of "--commit-hash" to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync("git show -s --format=%B ${commitHash}")). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where "wrangler pages deploy" is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
- Run any shell command.
- Exfiltrate environment variables.
- Compromise the CI runner to install backdoors or modify build artifacts.
Credits Disclosed responsibly by kny4hacker.
Mitigation
- Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
- Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
- Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Publish Date: 2026-01-20
URL: CVE-2026-0933
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-20
Fix Resolution: 3.114.17
Step up your Open Source Security Game with Mend here
CVE-2025-12816
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
CVE-2023-7080
Vulnerable Library - wrangler-2.20.1.tgz
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.20.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/wrangler/package.json,/src/main/workers/api/node_modules/wrangler/package.json
Dependency Hierarchy:
- ❌ wrangler-2.20.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.
This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-12-29
URL: CVE-2023-7080
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7080
Release Date: 2023-12-29
Fix Resolution: 2.20.2
Step up your Open Source Security Game with Mend here
CVE-2026-33895
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33894
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33891
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33671
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/picomatch/package.json,/src/main/workers/prerender/node_modules/picomatch/package.json,/src/main/vue/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- shared-2.13.0.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-2229
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- ❌ undici-5.20.0.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1526
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- ❌ undici-5.20.0.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2025-66031
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
CVE-2024-45296
Vulnerable Library - path-to-regexp-6.2.1.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/path-to-regexp/package.json,/src/main/workers/api/node_modules/path-to-regexp/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- ❌ path-to-regexp-6.2.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 6.3.0
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/braces/package.json,/src/main/vue/package.json,/src/main/workers/prerender/node_modules/braces/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- chokidar-3.5.3.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2024-37890
Vulnerable Library - ws-8.14.2.tgz
Library home page: https://registry.npmjs.org/ws/-/ws-8.14.2.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/ws/package.json,/src/main/workers/api/node_modules/ws/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- miniflare-2.13.0.tgz
- web-sockets-2.13.0.tgz
- ❌ ws-8.14.2.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 8.17.1
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
CVE-2024-21538
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/cross-spawn/package.json,/src/main/workers/prerender/node_modules/cross-spawn/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- shared-2.13.0.tgz
- npx-import-1.1.4.tgz
- execa-6.1.0.tgz
- ❌ cross-spawn-7.0.3.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution (cross-spawn): 7.0.5
Direct dependency fix Resolution (wrangler): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-33896
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, "pki.verifyCertificateChain()" does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the "basicConstraints" and "keyUsage" extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33896
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2025-22150
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- ❌ undici-5.20.0.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution (undici): 5.28.5
Direct dependency fix Resolution (wrangler): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-1525
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- ❌ undici-5.20.0.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without case-normalization
Potential consequences:
- Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-22036
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- ❌ undici-5.20.0.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 6.23.0
Direct dependency fix Resolution (wrangler): 4.24.4
Step up your Open Source Security Game with Mend here
CVE-2026-33672
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/picomatch/package.json,/src/main/workers/prerender/node_modules/picomatch/package.json,/src/main/vue/package.json
Dependency Hierarchy:
- wrangler-2.20.1.tgz (Root Library)
- core-2.13.0.tgz
- shared-2.13.0.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.
Publish Date: 2026-03-26
URL: CVE-2026-33672
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.20.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/wrangler/package.json,/src/main/workers/api/node_modules/wrangler/package.json
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - wrangler-2.20.1.tgz
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.20.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/wrangler/package.json,/src/main/workers/api/node_modules/wrangler/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
SummaryA command injection vulnerability (CWE-78) has been found to exist in the "wrangler pages deploy" command. The issue occurs because the "--commit-hash" parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of "--commit-hash" to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync("git show -s --format=%B ${commitHash}")). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where "wrangler pages deploy" is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
Credits Disclosed responsibly by kny4hacker.
Mitigation
Publish Date: 2026-01-20
URL: CVE-2026-0933
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-20
Fix Resolution: 3.114.17
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - wrangler-2.20.1.tgz
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.20.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/wrangler/package.json,/src/main/workers/api/node_modules/wrangler/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.
This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-12-29
URL: CVE-2023-7080
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7080
Release Date: 2023-12-29
Fix Resolution: 2.20.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/picomatch/package.json,/src/main/workers/prerender/node_modules/picomatch/package.json,/src/main/vue/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-to-regexp-6.2.1.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.1.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/path-to-regexp/package.json,/src/main/workers/api/node_modules/path-to-regexp/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 6.3.0
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/braces/package.json,/src/main/vue/package.json,/src/main/workers/prerender/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-8.14.2.tgz
Library home page: https://registry.npmjs.org/ws/-/ws-8.14.2.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/ws/package.json,/src/main/workers/api/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 8.17.1
Direct dependency fix Resolution (wrangler): 2.20.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/cross-spawn/package.json,/src/main/workers/prerender/node_modules/cross-spawn/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution (cross-spawn): 7.0.5
Direct dependency fix Resolution (wrangler): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/node-forge/package.json,/src/main/workers/prerender/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, "pki.verifyCertificateChain()" does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the "basicConstraints" and "keyUsage" extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33896
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution (undici): 5.28.5
Direct dependency fix Resolution (wrangler): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
Potential consequences:
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.20.0.tgz
Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz
Path to dependency file: /src/main/workers/prerender/package.json
Path to vulnerable library: /src/main/workers/prerender/node_modules/undici/package.json,/src/main/workers/api/node_modules/undici/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 6.23.0
Direct dependency fix Resolution (wrangler): 4.24.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /src/main/workers/api/package.json
Path to vulnerable library: /src/main/workers/api/node_modules/picomatch/package.json,/src/main/workers/prerender/node_modules/picomatch/package.json,/src/main/vue/package.json
Dependency Hierarchy:
Found in HEAD commit: de4579e3eb742e6069649be650bd2841e1ec1383
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.
Publish Date: 2026-03-26
URL: CVE-2026-33672
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4
Step up your Open Source Security Game with Mend here