Skip to content

react-scripts-5.0.1.tgz: 100 vulnerabilities (highest severity is: 9.8) [master] (reachable) #46

Open
Open
react-scripts-5.0.1.tgz: 100 vulnerabilities (highest severity is: 9.8) [master] (reachable)#46
@renovate

Description

@renovate
renovate
bot
opened on Feb 25, 2026
📂 Vulnerable Library - react-scripts-5.0.1.tgz

Configuration and scripts for Create React App.

Path to dependency file: /frontend/package.json

Partial results (25 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2022-37601 🟣 Critical 9.8 Not Defined 18.844% loader-utils-2.0.2.tgz Transitive N/A Unreachable
CVE-2023-28154 🟣 Critical 9.8 Not Defined 1.348% webpack-5.73.0.tgz Transitive N/A Unreachable
CVE-2026-33228 🟣 Critical 9.8 Not Defined < 1% flatted-3.2.5.tgz Transitive N/A Unreachable
CVE-2026-41907 🟣 Critical 9.8 Not Defined < 1% uuid-8.3.2.tgz Direct https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v12.0.1,https://github.com/uuidjs/uuid.git - v13.0.1 Reachable
CVE-2023-45133 🟣 Critical 9.3 Not Defined < 1% traverse-7.18.2.tgz Transitive N/A Unreachable
CVE-2026-27606 🟣 Critical 9.1 Not Defined < 1% rollup-2.75.5.tgz Transitive N/A Unreachable
CVE-2025-7783 🔴 High 8.7 Not Defined 1.319% form-data-3.0.1.tgz Transitive N/A Unreachable
CVE-2025-12816 🔴 High 8.6 Not Defined < 1% node-forge-1.3.1.tgz Transitive N/A Unreachable
CVE-2026-44728 🔴 High 8.2 N/A N/A plugin-transform-modules-systemjs-7.18.4.tgz Transitive N/A Unreachable
CVE-2026-4800 🔴 High 8.1 Not Defined < 1% lodash-4.17.21.tgz Transitive N/A Unreachable
CVE-2026-9277 🔴 High 8.1 N/A N/A shell-quote-1.7.3.tgz Transitive N/A Unreachable
CVE-2021-3803 🔴 High 7.5 Not Defined < 1% nth-check-1.0.2.tgz Transitive N/A Unreachable
CVE-2022-3517 🔴 High 7.5 Not Defined < 1% minimatch-3.0.4.tgz Transitive N/A Unreachable
CVE-2022-37599 🔴 High 7.5 Not Defined 4.206% loader-utils-3.2.0.tgz Transitive N/A Unreachable
CVE-2022-37599 🔴 High 7.5 Not Defined 4.206% loader-utils-2.0.2.tgz Transitive N/A Unreachable
CVE-2022-37603 🔴 High 7.5 Not Defined 1.331% loader-utils-3.2.0.tgz Transitive N/A Unreachable
CVE-2022-37603 🔴 High 7.5 Not Defined 1.331% loader-utils-2.0.2.tgz Transitive N/A Unreachable
CVE-2024-21536 🔴 High 7.5 Proof of concept < 1% http-proxy-middleware-2.0.6.tgz Transitive N/A Unreachable
CVE-2024-21538 🔴 High 7.5 Proof of concept < 1% cross-spawn-7.0.3.tgz Transitive N/A Unreachable
CVE-2024-37890 🔴 High 7.5 Not Defined < 1% ws-8.7.0.tgz Transitive N/A Unreachable
CVE-2024-37890 🔴 High 7.5 Not Defined < 1% ws-7.5.8.tgz Transitive N/A Unreachable
CVE-2024-4068 🔴 High 7.5 Not Defined < 1% braces-3.0.2.tgz Transitive N/A Unreachable
CVE-2024-45296 🔴 High 7.5 Not Defined < 1% path-to-regexp-0.1.7.tgz Transitive N/A
CVE-2024-45590 🔴 High 7.5 Not Defined 1.387% body-parser-1.20.0.tgz Direct body-parser - 1.20.3 Reachable
CVE-2024-52798 🔴 High 7.5 Not Defined < 1% path-to-regexp-0.1.7.tgz Transitive N/A

Details

🟣CVE-2022-37601

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • resolve-url-loader-4.0.0.tgz
      • adjust-sourcemap-loader-4.0.0.tgz
        • loader-utils-2.0.2.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • resolve-url-loader-3.1.2.tgz
      • adjust-sourcemap-loader-3.0.0.tgz
        • loader-utils-2.0.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: Oct 12, 2022 12:00 AM

URL: CVE-2022-37601

Threat Assessment

Exploit Maturity:Not Defined

EPSS:18.844%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: Oct 12, 2022 12:00 AM

Fix Resolution : loader-utils - 1.4.1,2.0.3

🟣CVE-2023-28154

Vulnerable Library - webpack-5.73.0.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.73.0.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-5.73.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Publish Date: Mar 13, 2023 12:00 AM

URL: CVE-2023-28154

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.348%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: webpack/webpack#16500

Release Date: Mar 13, 2023 12:00 AM

Fix Resolution : webpack - 5.76.0

🟣CVE-2026-33228

Vulnerable Library - flatted-3.2.5.tgz

A super light and fast circular JSON parser.

Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • eslint-8.16.0.tgz
      • file-entry-cache-6.0.1.tgz
        • flat-cache-3.0.4.tgz
          • flatted-3.2.5.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "proto" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Mar 20, 2026 11:06 PM

URL: CVE-2026-33228

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: WebReflection/flatted@885ddcc

Release Date: Mar 20, 2026 11:06 PM

Fix Resolution : https://github.com/WebReflection/flatted.git - v3.4.2

🟣CVE-2026-41907

Vulnerable Library - uuid-8.3.2.tgz

RFC4122 (v1, v4, and v5) UUIDs

Library home page: https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • webpack-dev-server-4.9.1.tgz
      • sockjs-0.3.24.tgz
        • uuid-8.3.2.tgz (Vulnerable Library)

  • uuid-8.3.2.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- damn-vulnerable-crypto-app-backend-1.0.0/src/services/FlagService.ts (Application)
    - uuid-8.3.2/dist/index.js (Extension)
        - uuid-8.3.2/dist/v5.js (Extension)
            -> ❌ uuid-8.3.2/dist/sha1.js (Vulnerable Component)

Vulnerability Details

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

Publish Date: Apr 24, 2026 06:09 PM

URL: CVE-2026-41907

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-w5hq-g745-h8pq

Release Date: Apr 24, 2026 06:09 PM

Fix Resolution : https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v12.0.1,https://github.com/uuidjs/uuid.git - v13.0.1

🟣CVE-2023-45133

Vulnerable Library - traverse-7.18.2.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.18.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • core-7.18.2.tgz
          • traverse-7.18.2.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • jest-24.9.0.tgz
      • jest-cli-24.9.0.tgz
        • core-24.9.0.tgz
          • reporters-24.9.0.tgz
            • istanbul-lib-instrument-3.3.0.tgz
              • traverse-7.18.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Babel is a compiler for writingJavaScript. In "@babel/traverse" prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of "babel-traverse", using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the "path.evaluate()"or "path.evaluateTruthy()" internal Babel methods. Known affected plugins are "@babel/plugin-transform-runtime"; "@babel/preset-env" when using its "useBuiltIns" option; and any "polyfill provider" plugin that depends on "@babel/helper-define-polyfill-provider", such as "babel-plugin-polyfill-corejs3", "babel-plugin-polyfill-corejs2", "babel-plugin-polyfill-es-shims", "babel-plugin-polyfill-regenerator". No other plugins under the "@babel/" namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in "@babel/traverse@7.23.2" and "@babel/traverse@8.0.0-alpha.4". Those who cannot upgrade "@babel/traverse" and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected "@babel/traverse" versions: "@babel/plugin-transform-runtime" v7.23.2, "@babel/preset-env" v7.23.2, "@babel/helper-define-polyfill-provider" v0.4.3, "babel-plugin-polyfill-corejs2" v0.4.6, "babel-plugin-polyfill-corejs3" v0.8.5, "babel-plugin-polyfill-es-shims" v0.10.0, "babel-plugin-polyfill-regenerator" v0.5.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Oct 12, 2023 04:17 PM

URL: CVE-2023-45133

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: Oct 12, 2023 04:17 PM

Fix Resolution : @babel/traverse - 7.23.2,@babel/traverse - 7.23.2

🟣CVE-2026-27606

Vulnerable Library - rollup-2.75.5.tgz

Next-generation ES module bundler

Library home page: https://registry.npmjs.org/rollup/-/rollup-2.75.5.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • rollup-2.75.5.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

Publish Date: Feb 25, 2026 02:08 AM

URL: CVE-2026-27606

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.1

Suggested Fix

Type: Upgrade version

Origin: rollup/rollup@c8cf1f9

Release Date: Feb 25, 2026 02:08 AM

Fix Resolution : https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0

🔴CVE-2025-7783

Vulnerable Library - form-data-3.0.1.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • jest-27.5.1.tgz
      • core-27.5.1.tgz
        • jest-config-27.5.1.tgz
          • jest-environment-jsdom-27.5.1.tgz
            • jsdom-16.7.0.tgz
              • form-data-3.0.1.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jul 18, 2025 04:34 PM

URL: CVE-2025-7783

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.319%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: Jul 18, 2025 04:34 PM

Fix Resolution : form-data - 2.5.4,form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4

🔴CVE-2025-12816

Vulnerable Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.1.tgz
      • selfsigned-2.0.1.tgz
        • node-forge-1.3.1.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Publish Date: Nov 25, 2025 07:15 PM

URL: CVE-2025-12816

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.6

Suggested Fix

Type: Upgrade version

Origin: GHSA-5gfm-wpxj-wjgq

Release Date: Nov 25, 2025 07:15 PM

Fix Resolution : https://github.com/digitalbazaar/forge.git - v1.3.2,node-forge - 1.3.2

🔴CVE-2026-44728

Vulnerable Library - plugin-transform-modules-systemjs-7.18.4.tgz

This plugin transforms ES2015 modules to SystemJS

Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.18.4.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • preset-env-7.18.2.tgz
          • plugin-transform-modules-systemjs-7.18.4.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • babel-preset-react-app-9.1.2.tgz
      • preset-env-7.9.0.tgz
        • plugin-transform-modules-systemjs-7.18.4.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - "@babel/plugin-transform-modules-systemjs" - "@babel/preset-env" when using the ""modules: "systemjs"" option" (https://babel.dev/docs/babel-preset-env#modules), as it delegates to "@babel/plugin-transform-modules-systemjs" No other plugins under the "@babel" namespace are impacted. Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/plugin-transform-modules-systemjs@7.29.4". Babel also released "@babel/preset-env@7.29.5", updating its "@babel/plugin-transform-modules-systemjs" dependency, to simplify forcing the update if you are using "@babel/preset-env" directly. Workarounds - Pin "@babel/parser" to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade "@babel/plugin-transform-modules-systemjs" to v7.29.4. - Do not use the "modules: "systemjs"" option, migrate the codebase to native ES Modules or any other module formats. Credits Babel thanks Daniel Cervera for reporting the vulnerability.

Publish Date: May 22, 2026 09:03 AM

URL: CVE-2026-44728

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-fv7c-fp4j-7gwp

Release Date: May 09, 2026 09:02 AM

Fix Resolution : @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4

🔴CVE-2026-4800

Vulnerable Library - lodash-4.17.21.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • lodash-4.17.21.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • react-dev-utils-10.2.1.tgz
      • inquirer-7.0.4.tgz
        • lodash-4.17.21.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Publish Date: Mar 31, 2026 07:25 PM

URL: CVE-2026-4800

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2026-9277

Vulnerable Library - shell-quote-1.7.3.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.3.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • shell-quote-1.7.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

shell-quote's "quote()" function did not validate object-token inputs against the operator model used by "parse()". The ".op" field was backslash-escaped character by character using "/(.)/g", which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in ".op" therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of "{ op: '...\n...' }" from external input, and (2) via "parse(cmd, envFn)" when "envFn" returns object tokens whose ".op" is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: ".op" must match the parser's control-operator allowlist; "{ op: 'glob', pattern }" validates "pattern" and forbids line terminators; "{ comment }" validates "comment" and forbids line terminators; any other object shape throws "TypeError".

Publish Date: May 22, 2026 01:22 PM

URL: CVE-2026-9277

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin: ljharb/shell-quote@4378a6e

Release Date: May 22, 2026 01:22 PM

Fix Resolution : https://github.com/ljharb/shell-quote.git - v1.8.4,shell-quote - 1.8.4

🔴CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • nth-check-1.0.2.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • webpack-4.3.3.tgz
      • plugin-svgo-4.3.1.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • nth-check-1.0.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: Sep 17, 2021 12:00 AM

URL: CVE-2021-3803

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • react-dev-utils-12.0.1.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • react-dev-utils-10.2.1.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: Oct 17, 2022 12:00 AM

URL: CVE-2022-3517

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2022-37599

Vulnerable Library - loader-utils-3.2.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-3.2.0.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • loader-utils-3.2.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: Oct 11, 2022 12:00 AM

URL: CVE-2022-37599

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.206%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhq3-ff78-jv3g

Release Date: Oct 11, 2022 12:00 AM

Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1

🔴CVE-2022-37599

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • resolve-url-loader-4.0.0.tgz
      • adjust-sourcemap-loader-4.0.0.tgz
        • loader-utils-2.0.2.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • resolve-url-loader-3.1.2.tgz
      • adjust-sourcemap-loader-3.0.0.tgz
        • loader-utils-2.0.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: Oct 11, 2022 12:00 AM

URL: CVE-2022-37599

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.206%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhq3-ff78-jv3g

Release Date: Oct 11, 2022 12:00 AM

Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1

🔴CVE-2022-37603

Vulnerable Library - loader-utils-3.2.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-3.2.0.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • loader-utils-3.2.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: Oct 14, 2022 12:00 AM

URL: CVE-2022-37603

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.331%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: Oct 14, 2022 12:00 AM

Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1

🔴CVE-2022-37603

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • resolve-url-loader-4.0.0.tgz
      • adjust-sourcemap-loader-4.0.0.tgz
        • loader-utils-2.0.2.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • resolve-url-loader-3.1.2.tgz
      • adjust-sourcemap-loader-3.0.0.tgz
        • loader-utils-2.0.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: Oct 14, 2022 12:00 AM

URL: CVE-2022-37603

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.331%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: Oct 14, 2022 12:00 AM

Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1

🔴CVE-2024-21536

Vulnerable Library - http-proxy-middleware-2.0.6.tgz

The one-liner node.js proxy middleware for connect, express and browser-sync

Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.1.tgz
      • http-proxy-middleware-2.0.6.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Publish Date: Oct 19, 2024 05:00 AM

URL: CVE-2024-21536

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2024-21538

Vulnerable Library - cross-spawn-7.0.3.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • webpack-dev-server-4.9.1.tgz
      • default-gateway-6.0.3.tgz
        • execa-5.1.1.tgz
          • cross-spawn-7.0.3.tgz (Vulnerable Library)

  • cross-env-7.0.3.tgz (Root Library)

    • cross-spawn-7.0.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: Nov 08, 2024 05:00 AM

URL: CVE-2024-21538

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Release Date: Nov 08, 2024 05:00 AM

Fix Resolution : org.webjars.npm:cross-spawn:6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,cross-spawn - 7.0.5,cross-spawn - 6.0.6

🔴CVE-2024-37890

Vulnerable Library - ws-8.7.0.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-8.7.0.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.1.tgz
      • ws-8.7.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: Jun 17, 2024 07:09 PM

URL: CVE-2024-37890

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: Jun 17, 2024 07:09 PM

Fix Resolution : ws - 5.2.4,6.2.3,7.5.10,8.17.1

🔴CVE-2024-37890

Vulnerable Library - ws-7.5.8.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.5.8.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • jest-27.5.1.tgz
      • core-27.5.1.tgz
        • jest-config-27.5.1.tgz
          • jest-environment-jsdom-27.5.1.tgz
            • jsdom-16.7.0.tgz
              • ws-7.5.8.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: Jun 17, 2024 07:09 PM

URL: CVE-2024-37890

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: Jun 17, 2024 07:09 PM

Fix Resolution : ws - 5.2.4,6.2.3,7.5.10,8.17.1

🔴CVE-2024-4068

Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • tailwindcss-3.0.24.tgz
      • chokidar-3.5.3.tgz
        • braces-3.0.2.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • react-dev-utils-10.2.1.tgz
      • fork-ts-checker-webpack-plugin-3.1.1.tgz
        • chokidar-3.5.3.tgz
          • braces-3.0.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Publish Date: May 13, 2024 10:06 AM

URL: CVE-2024-4068

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: micromatch/braces#37

Release Date: May 13, 2024 10:06 AM

Fix Resolution : braces - 3.0.3

🔴CVE-2024-45296

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • webpack-dev-server-4.9.1.tgz
      • express-4.18.1.tgz
        • path-to-regexp-0.1.7.tgz (Vulnerable Library)

  • express-4.18.1.tgz (Root Library)

    • path-to-regexp-0.1.7.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • webpack-dev-server-3.11.0.tgz
      • express-4.18.1.tgz
        • path-to-regexp-0.1.7.tgz (Vulnerable Library)

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: Sep 09, 2024 07:07 PM

URL: CVE-2024-45296

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: Sep 09, 2024 07:07 PM

Fix Resolution : path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0

🔴CVE-2024-45590

Vulnerable Library - body-parser-1.20.0.tgz

Node.js body parsing middleware

Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.0.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • webpack-dev-server-4.9.1.tgz
      • express-4.18.1.tgz
        • body-parser-1.20.0.tgz (Vulnerable Library)

  • body-parser-1.20.0.tgz (Vulnerable Library)

  • express-4.18.1.tgz (Root Library)

    • body-parser-1.20.0.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • webpack-dev-server-3.11.0.tgz
      • express-4.18.1.tgz
        • body-parser-1.20.0.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- damn-vulnerable-crypto-app-backend-1.0.0/src/middlewares/cspMiddleware.ts (Application)
    - express-4.18.1/index.js (Extension)
        - express-4.18.1/lib/express.js (Extension)
            - body-parser-1.20.0/index.js (Extension)
                -> ❌ body-parser-1.20.0/lib/types/urlencoded.js (Vulnerable Component)

Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Publish Date: Sep 10, 2024 03:54 PM

URL: CVE-2024-45590

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.387%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwcr-r2fm-qrc7

Release Date: Sep 10, 2024 03:54 PM

Fix Resolution : body-parser - 1.20.3

🔴CVE-2024-52798

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)

    • webpack-dev-server-4.9.1.tgz
      • express-4.18.1.tgz
        • path-to-regexp-0.1.7.tgz (Vulnerable Library)

  • express-4.18.1.tgz (Root Library)

    • path-to-regexp-0.1.7.tgz (Vulnerable Library)

  • react-scripts-3.4.4.tgz (Root Library)

    • webpack-dev-server-3.11.0.tgz
      • express-4.18.1.tgz
        • path-to-regexp-0.1.7.tgz (Vulnerable Library)

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

Publish Date: Dec 05, 2024 10:45 PM

URL: CVE-2024-52798

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-rhx6-c78j-4q9w

Release Date: Dec 05, 2024 10:45 PM

Fix Resolution : path-to-regexp - 0.1.12

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions