📂 Vulnerable Library - express-session-1.17.3.tgz
Simple session middleware for Express
Path to dependency file: /backend/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2024-47764 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
cookie-0.4.2.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2025-7339 |
🟡 Low |
3.4 |
Not Defined |
< 1% |
on-headers-1.0.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟠CVE-2024-47764
Vulnerable Library - cookie-0.4.2.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz
Path to dependency file: /backend/package.json
Dependency Hierarchy:
- express-session-1.17.3.tgz (Root Library)
- ❌ cookie-0.4.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
🟡CVE-2025-7339
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.1.tgz
- compression-1.7.4.tgz
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
-
express-session-1.17.3.tgz (Root Library)
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
-
react-scripts-3.4.4.tgz (Root Library)
- webpack-dev-server-3.11.0.tgz
- compression-1.7.4.tgz
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 17, 2025 03:47 PM
URL: CVE-2025-7339
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76c9-3jph-rj3q
Release Date: Jul 17, 2025 03:47 PM
Fix Resolution : on-headers - 1.1.0,https://github.com/jshttp/on-headers.git - v1.1.0
📂 Vulnerable Library - express-session-1.17.3.tgz
Simple session middleware for Express
Path to dependency file: /backend/package.json
Findings
Details
🟠CVE-2024-47764
Vulnerable Library - cookie-0.4.2.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz
Path to dependency file: /backend/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
🟡CVE-2025-7339
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
react-scripts-5.0.1.tgz (Root Library)
express-session-1.17.3.tgz (Root Library)
react-scripts-3.4.4.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 17, 2025 03:47 PM
URL: CVE-2025-7339
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76c9-3jph-rj3q
Release Date: Jul 17, 2025 03:47 PM
Fix Resolution : on-headers - 1.1.0,https://github.com/jshttp/on-headers.git - v1.1.0