{ "auditReportVersion": 2, "vulnerabilities": { "@angular-devkit/core": { "name": "@angular-devkit/core", "severity": "moderate", "isDirect": false, "via": [ "ajv", "picomatch" ], "effects": [ "@angular-devkit/schematics", "@angular-devkit/schematics-cli", "@nestjs/cli", "@nestjs/schematics" ], "range": "12.0.0-next.0 - 19.2.22 || 20.0.0-next.0 - 20.3.21 || 21.0.0-next.0 - 21.2.4 || 22.0.0-next.0 - 22.0.0-next.3", "nodes": [ "node_modules/@angular-devkit/core", "node_modules/@compodoc/compodoc/node_modules/@angular-devkit/core", "node_modules/@nestjs/schematics/node_modules/@angular-devkit/core" ], "fixAvailable": { "name": "@compodoc/compodoc", "version": "1.1.23", "isSemVerMajor": true } }, "@angular-devkit/schematics": { "name": "@angular-devkit/schematics", "severity": "moderate", "isDirect": false, "via": [ "@angular-devkit/core" ], "effects": [ "@compodoc/compodoc" ], "range": "17.2.0-next.0 - 19.2.22 || 20.0.0-next.0 - 20.3.21 || 21.0.0-next.0 - 21.2.4 || 22.0.0-next.0 - 22.0.0-next.3", "nodes": [ "node_modules/@angular-devkit/schematics", "node_modules/@compodoc/compodoc/node_modules/@angular-devkit/schematics", "node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics" ], "fixAvailable": { "name": "@compodoc/compodoc", "version": "1.1.23", "isSemVerMajor": true } }, "@angular-devkit/schematics-cli": { "name": "@angular-devkit/schematics-cli", "severity": "moderate", "isDirect": false, "via": [ "@angular-devkit/core", "@angular-devkit/schematics" ], "effects": [], "range": "17.2.0-next.0 - 19.2.22 || 20.0.0-next.0 - 20.3.21 || 21.0.0-next.0 - 21.2.4 || 22.0.0-next.0 - 22.0.0-next.3", "nodes": [ "node_modules/@angular-devkit/schematics-cli" ], "fixAvailable": true }, "@aws-sdk/client-sesv2": { "name": "@aws-sdk/client-sesv2", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/credential-provider-node", "@aws-sdk/middleware-user-agent", "@aws-sdk/signature-v4-multi-region", "@aws-sdk/util-user-agent-node" ], "effects": [], "range": "3.894.0 - 3.978.0", "nodes": [ "node_modules/@aws-sdk/client-sesv2" ], "fixAvailable": true }, "@aws-sdk/client-sso": { "name": "@aws-sdk/client-sso", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/middleware-user-agent", "@aws-sdk/util-user-agent-node" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/client-sso" ], "fixAvailable": true }, "@aws-sdk/core": { "name": "@aws-sdk/core", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/xml-builder" ], "effects": [ "@aws-sdk/client-sesv2", "@aws-sdk/client-sso", "@aws-sdk/credential-provider-env", "@aws-sdk/credential-provider-http", "@aws-sdk/credential-provider-ini", "@aws-sdk/credential-provider-login", "@aws-sdk/credential-provider-process", "@aws-sdk/credential-provider-sso", "@aws-sdk/credential-provider-web-identity", "@aws-sdk/middleware-sdk-s3", "@aws-sdk/middleware-user-agent", "@aws-sdk/nested-clients", "@aws-sdk/token-providers" ], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/core" ], "fixAvailable": true }, "@aws-sdk/credential-provider-env": { "name": "@aws-sdk/credential-provider-env", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-env" ], "fixAvailable": true }, "@aws-sdk/credential-provider-http": { "name": "@aws-sdk/credential-provider-http", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core" ], "effects": [ "@aws-sdk/credential-provider-node" ], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-http" ], "fixAvailable": true }, "@aws-sdk/credential-provider-ini": { "name": "@aws-sdk/credential-provider-ini", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/credential-provider-env", "@aws-sdk/credential-provider-http", "@aws-sdk/credential-provider-login", "@aws-sdk/credential-provider-process", "@aws-sdk/credential-provider-sso", "@aws-sdk/credential-provider-web-identity", "@aws-sdk/nested-clients" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-ini" ], "fixAvailable": true }, "@aws-sdk/credential-provider-login": { "name": "@aws-sdk/credential-provider-login", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/nested-clients" ], "effects": [ "@aws-sdk/credential-provider-ini" ], "range": "<=3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-login" ], "fixAvailable": true }, "@aws-sdk/credential-provider-node": { "name": "@aws-sdk/credential-provider-node", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/credential-provider-env", "@aws-sdk/credential-provider-http", "@aws-sdk/credential-provider-ini", "@aws-sdk/credential-provider-process", "@aws-sdk/credential-provider-sso", "@aws-sdk/credential-provider-web-identity" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-node" ], "fixAvailable": true }, "@aws-sdk/credential-provider-process": { "name": "@aws-sdk/credential-provider-process", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-process" ], "fixAvailable": true }, "@aws-sdk/credential-provider-sso": { "name": "@aws-sdk/credential-provider-sso", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/client-sso", "@aws-sdk/core", "@aws-sdk/token-providers" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-sso" ], "fixAvailable": true }, "@aws-sdk/credential-provider-web-identity": { "name": "@aws-sdk/credential-provider-web-identity", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/nested-clients" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/credential-provider-web-identity" ], "fixAvailable": true }, "@aws-sdk/middleware-sdk-s3": { "name": "@aws-sdk/middleware-sdk-s3", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core" ], "effects": [ "@aws-sdk/signature-v4-multi-region" ], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/middleware-sdk-s3" ], "fixAvailable": true }, "@aws-sdk/middleware-user-agent": { "name": "@aws-sdk/middleware-user-agent", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core" ], "effects": [ "@aws-sdk/util-user-agent-node" ], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/middleware-user-agent" ], "fixAvailable": true }, "@aws-sdk/nested-clients": { "name": "@aws-sdk/nested-clients", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/middleware-user-agent", "@aws-sdk/util-user-agent-node" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/nested-clients" ], "fixAvailable": true }, "@aws-sdk/signature-v4-multi-region": { "name": "@aws-sdk/signature-v4-multi-region", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/middleware-sdk-s3" ], "effects": [ "@aws-sdk/client-sesv2" ], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/signature-v4-multi-region" ], "fixAvailable": true }, "@aws-sdk/token-providers": { "name": "@aws-sdk/token-providers", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/core", "@aws-sdk/nested-clients" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/token-providers" ], "fixAvailable": true }, "@aws-sdk/util-user-agent-node": { "name": "@aws-sdk/util-user-agent-node", "severity": "high", "isDirect": false, "via": [ "@aws-sdk/middleware-user-agent" ], "effects": [], "range": "3.894.0 - 3.972.0", "nodes": [ "node_modules/@aws-sdk/util-user-agent-node" ], "fixAvailable": true }, "@aws-sdk/xml-builder": { "name": "@aws-sdk/xml-builder", "severity": "high", "isDirect": false, "via": [ "fast-xml-parser" ], "effects": [ "@aws-sdk/core" ], "range": "3.894.0 - 3.972.2", "nodes": [ "node_modules/@aws-sdk/xml-builder" ], "fixAvailable": true }, "@casl/ability": { "name": "@casl/ability", "severity": "critical", "isDirect": true, "via": [ { "source": 1113148, "name": "@casl/ability", "dependency": "@casl/ability", "title": "CASL Ability is Vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-x9vf-53q3-cvx6", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.4.0 <=6.7.4" } ], "effects": [], "range": "2.4.0 - 6.7.3", "nodes": [ "node_modules/@casl/ability" ], "fixAvailable": true }, "@compodoc/compodoc": { "name": "@compodoc/compodoc", "severity": "moderate", "isDirect": true, "via": [ "@angular-devkit/schematics" ], "effects": [], "range": ">=1.1.24", "nodes": [ "node_modules/@compodoc/compodoc" ], "fixAvailable": { "name": "@compodoc/compodoc", "version": "1.1.23", "isSemVerMajor": true } }, "@elastic/elasticsearch": { "name": "@elastic/elasticsearch", "severity": "moderate", "isDirect": true, "via": [ "@elastic/transport" ], "effects": [], "range": "8.0.0-alpha.0 - 8.0.0-beta.1 || 8.6.1 || 8.7.3 || 8.8.2 || 8.9.2 || 8.10.1 || 8.11.1 || 8.12.3 || 8.13.1", "nodes": [ "node_modules/@elastic/elasticsearch" ], "fixAvailable": true }, "@elastic/transport": { "name": "@elastic/transport", "severity": "moderate", "isDirect": false, "via": [ "undici" ], "effects": [ "@elastic/elasticsearch" ], "range": "<=8.4.1", "nodes": [ "node_modules/@elastic/transport" ], "fixAvailable": true }, "@isaacs/brace-expansion": { "name": "@isaacs/brace-expansion", "severity": "high", "isDirect": false, "via": [ { "source": 1112954, "name": "@isaacs/brace-expansion", "dependency": "@isaacs/brace-expansion", "title": "@isaacs/brace-expansion has Uncontrolled Resource Consumption", "url": "https://github.com/advisories/GHSA-7h2j-956f-4vf2", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=5.0.0" } ], "effects": [], "range": "5.0.0", "nodes": [ "node_modules/@isaacs/brace-expansion" ], "fixAvailable": true }, "@nestjs-modules/ioredis": { "name": "@nestjs-modules/ioredis", "severity": "moderate", "isDirect": true, "via": [ "@nestjs/terminus" ], "effects": [], "range": "1.2.0 - 2.0.2", "nodes": [ "node_modules/@nestjs-modules/ioredis" ], "fixAvailable": true }, "@nestjs/cli": { "name": "@nestjs/cli", "severity": "moderate", "isDirect": true, "via": [ "@angular-devkit/core", "@angular-devkit/schematics", "@angular-devkit/schematics-cli", "webpack" ], "effects": [], "range": "8.1.3 - 11.0.17 || >=12.0.0-alpha.0", "nodes": [ "node_modules/@nestjs/cli" ], "fixAvailable": true }, "@nestjs/common": { "name": "@nestjs/common", "severity": "moderate", "isDirect": true, "via": [ "file-type" ], "effects": [], "range": "10.4.16 - 10.4.22 || 11.0.16 - 11.1.16 || >=12.0.0-alpha.0", "nodes": [ "node_modules/@nestjs/common" ], "fixAvailable": true }, "@nestjs/config": { "name": "@nestjs/config", "severity": "moderate", "isDirect": true, "via": [ "lodash" ], "effects": [], "range": "1.1.6 - 4.0.2", "nodes": [ "node_modules/@nestjs/config" ], "fixAvailable": true }, "@nestjs/core": { "name": "@nestjs/core", "severity": "high", "isDirect": true, "via": [ { "source": 1116226, "name": "@nestjs/core", "dependency": "@nestjs/core", "title": "@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')", "url": "https://github.com/advisories/GHSA-36xv-jgw5-4q75", "severity": "moderate", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=11.1.17" }, "path-to-regexp" ], "effects": [ "@nestjs/terminus", "@nestjs/typeorm" ], "range": "<=11.1.17 || >=12.0.0-alpha.0", "nodes": [ "node_modules/@nestjs/core" ], "fixAvailable": true }, "@nestjs/platform-express": { "name": "@nestjs/platform-express", "severity": "high", "isDirect": true, "via": [ "multer", "path-to-regexp" ], "effects": [], "range": "<=11.1.17 || >=12.0.0-alpha.0", "nodes": [ "node_modules/@nestjs/platform-express" ], "fixAvailable": true }, "@nestjs/schematics": { "name": "@nestjs/schematics", "severity": "moderate", "isDirect": true, "via": [ "@angular-devkit/core", "@angular-devkit/schematics" ], "effects": [], "range": "10.1.2 - 11.0.9 || >=12.0.0-alpha.0", "nodes": [ "node_modules/@nestjs/schematics" ], "fixAvailable": true }, "@nestjs/swagger": { "name": "@nestjs/swagger", "severity": "high", "isDirect": true, "via": [ "lodash", "path-to-regexp" ], "effects": [], "range": "1.1.0 - 1.1.4 || 3.0.1 - 11.2.6", "nodes": [ "node_modules/@nestjs/swagger" ], "fixAvailable": true }, "@nestjs/terminus": { "name": "@nestjs/terminus", "severity": "moderate", "isDirect": false, "via": [ "@nestjs/core", "@nestjs/typeorm" ], "effects": [ "@nestjs-modules/ioredis" ], "range": "<=10.3.0", "nodes": [ "node_modules/@nestjs-modules/ioredis/node_modules/@nestjs/terminus" ], "fixAvailable": true }, "@nestjs/typeorm": { "name": "@nestjs/typeorm", "severity": "moderate", "isDirect": false, "via": [ "@nestjs/core" ], "effects": [ "@nestjs/terminus" ], "range": "5.1.0 - 10.0.2", "nodes": [ "node_modules/@nestjs-modules/ioredis/node_modules/@nestjs/typeorm" ], "fixAvailable": true }, "ajv": { "name": "ajv", "severity": "moderate", "isDirect": true, "via": [ { "source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<6.14.0" }, { "source": 1113715, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=7.0.0-alpha.0 <8.18.0" } ], "effects": [ "@angular-devkit/core" ], "range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0", "nodes": [ "node_modules/@eslint/eslintrc/node_modules/ajv", "node_modules/ajv", "node_modules/eslint/node_modules/ajv", "node_modules/schema-utils/node_modules/ajv" ], "fixAvailable": { "name": "@compodoc/compodoc", "version": "1.1.23", "isSemVerMajor": true } }, "axios": { "name": "axios", "severity": "high", "isDirect": true, "via": [ { "source": 1113275, "name": "axios", "dependency": "axios", "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", "url": "https://github.com/advisories/GHSA-43fc-jf86-j433", "severity": "high", "cwe": [ "CWE-754" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <=1.13.4" }, { "source": 1116673, "name": "axios", "dependency": "axios", "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF", "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5", "severity": "moderate", "cwe": [ "CWE-441", "CWE-918" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": ">=1.0.0 <1.15.0" }, { "source": 1116675, "name": "axios", "dependency": "axios", "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", "severity": "moderate", "cwe": [ "CWE-113", "CWE-444", "CWE-918" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": ">=1.0.0 <1.15.0" } ], "effects": [], "range": "1.0.0 - 1.14.0", "nodes": [ "node_modules/axios" ], "fixAvailable": true }, "body-parser": { "name": "body-parser", "severity": "moderate", "isDirect": false, "via": [ { "source": 1110858, "name": "body-parser", "dependency": "body-parser", "title": "body-parser is vulnerable to denial of service when url encoding is used", "url": "https://github.com/advisories/GHSA-wqch-xfxh-vrr4", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=2.2.0 <2.2.1" } ], "effects": [], "range": "2.2.0", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "brace-expansion": { "name": "brace-expansion", "severity": "moderate", "isDirect": false, "via": [ { "source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<1.1.13" }, { "source": 1115541, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.3" } ], "effects": [], "range": "<1.1.13 || >=2.0.0 <2.0.3", "nodes": [ "node_modules/@jest/reporters/node_modules/brace-expansion", "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion", "node_modules/brace-expansion", "node_modules/jest-config/node_modules/brace-expansion", "node_modules/jest-runtime/node_modules/brace-expansion", "node_modules/typeorm/node_modules/brace-expansion" ], "fixAvailable": true }, "diff": { "name": "diff", "severity": "low", "isDirect": false, "via": [ { "source": 1112704, "name": "diff", "dependency": "diff", "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx", "severity": "low", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=4.0.0 <4.0.4" } ], "effects": [], "range": "4.0.0 - 4.0.3", "nodes": [ "node_modules/diff" ], "fixAvailable": true }, "fast-xml-parser": { "name": "fast-xml-parser", "severity": "critical", "isDirect": false, "via": [ { "source": 1113153, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser has RangeError DoS Numeric Entities Bug", "url": "https://github.com/advisories/GHSA-37qj-frw5-hhjh", "severity": "high", "cwe": [ "CWE-20", "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.9 <=5.3.3" }, { "source": 1113568, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names", "url": "https://github.com/advisories/GHSA-m7jm-9gc2-mpf2", "severity": "critical", "cwe": [ "CWE-185" ], "cvss": { "score": 9.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N" }, "range": ">=5.0.0 <5.3.5" }, { "source": 1113569, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)", "url": "https://github.com/advisories/GHSA-jmr7-xgp7-cmfj", "severity": "high", "cwe": [ "CWE-776" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.3.6" }, { "source": 1114153, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder", "url": "https://github.com/advisories/GHSA-fj3w-jwp8-x2g3", "severity": "low", "cwe": [ "CWE-120" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=5.0.0 <5.3.8" }, { "source": 1115339, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)", "url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r", "severity": "high", "cwe": [ "CWE-776" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.5.6" }, { "source": 1116307, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser", "url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g", "severity": "moderate", "cwe": [ "CWE-1284" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.5.7" } ], "effects": [ "@aws-sdk/xml-builder" ], "range": "5.0.0 - 5.5.6", "nodes": [ "node_modules/fast-xml-parser" ], "fixAvailable": true }, "file-type": { "name": "file-type", "severity": "moderate", "isDirect": false, "via": [ { "source": 1114301, "name": "file-type", "dependency": "file-type", "title": "file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header", "url": "https://github.com/advisories/GHSA-5v7r-6r5c-r473", "severity": "moderate", "cwe": [ "CWE-835" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=13.0.0 <21.3.1" }, { "source": 1114726, "name": "file-type", "dependency": "file-type", "title": "file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry", "url": "https://github.com/advisories/GHSA-j47w-4g3g-c36v", "severity": "moderate", "cwe": [ "CWE-400", "CWE-409" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=20.0.0 <=21.3.1" } ], "effects": [ "@nestjs/common" ], "range": "13.0.0 - 21.3.1", "nodes": [ "node_modules/file-type" ], "fixAvailable": true }, "flatted": { "name": "flatted", "severity": "high", "isDirect": false, "via": [ { "source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": [ "CWE-674" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.4.0" }, { "source": 1115357, "name": "flatted", "dependency": "flatted", "title": "Prototype Pollution via parse() in NodeJS flatted", "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=3.4.1" } ], "effects": [], "range": "<=3.4.1", "nodes": [ "node_modules/flatted" ], "fixAvailable": true }, "follow-redirects": { "name": "follow-redirects", "severity": "moderate", "isDirect": false, "via": [ { "source": 1116560, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets", "url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=1.15.11" } ], "effects": [], "range": "<=1.15.11", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "handlebars": { "name": "handlebars", "severity": "critical", "isDirect": false, "via": [ { "source": 1115538, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block", "url": "https://github.com/advisories/GHSA-3mfm-83xf-c92r", "severity": "high", "cwe": [ "CWE-94", "CWE-843" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=4.0.0 <=4.7.8" }, { "source": 1115539, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has JavaScript Injection via AST Type Confusion", "url": "https://github.com/advisories/GHSA-2w6w-674q-4c4q", "severity": "critical", "cwe": [ "CWE-94", "CWE-843" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=4.0.0 <=4.7.8" }, { "source": 1115544, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection", "url": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9", "severity": "moderate", "cwe": [ "CWE-79", "CWE-1321" ], "cvss": { "score": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": ">=4.0.0 <4.7.9" }, { "source": 1115588, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry", "url": "https://github.com/advisories/GHSA-7rx3-28cr-v5wh", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": ">=4.6.0 <=4.7.8" }, { "source": 1115589, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has a Property Access Validation Bypass in container.lookup", "url": "https://github.com/advisories/GHSA-442j-39wm-28r2", "severity": "low", "cwe": [ "CWE-367" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=4.0.0 <=4.7.8" }, { "source": 1115692, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options", "url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf", "severity": "high", "cwe": [ "CWE-79", "CWE-94", "CWE-116" ], "cvss": { "score": 8.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, "range": ">=4.0.0 <=4.7.8" }, { "source": 1115693, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial", "url": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6", "severity": "high", "cwe": [ "CWE-94", "CWE-843" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=4.0.0 <=4.7.8" }, { "source": 1115694, "name": "handlebars", "dependency": "handlebars", "title": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation", "url": "https://github.com/advisories/GHSA-9cx6-37pm-9jff", "severity": "high", "cwe": [ "CWE-754" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <=4.7.8" } ], "effects": [], "range": "4.0.0 - 4.7.8", "nodes": [ "node_modules/handlebars" ], "fixAvailable": true }, "jws": { "name": "jws", "severity": "high", "isDirect": false, "via": [ { "source": 1111244, "name": "jws", "dependency": "jws", "title": "auth0/node-jws Improperly Verifies HMAC Signature", "url": "https://github.com/advisories/GHSA-869p-cjfg-cm3x", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<3.2.3" } ], "effects": [], "range": "<3.2.3", "nodes": [ "node_modules/jws" ], "fixAvailable": true }, "lodash": { "name": "lodash", "severity": "high", "isDirect": false, "via": [ { "source": 1112455, "name": "lodash", "dependency": "lodash", "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": ">=4.0.0 <=4.17.22" }, { "source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": [ "CWE-94" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=4.0.0 <=4.17.23" }, { "source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": "<=4.17.23" } ], "effects": [ "@nestjs/config", "@nestjs/swagger" ], "range": "<=4.17.23", "nodes": [ "node_modules/lodash" ], "fixAvailable": true }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.1.3" }, { "source": 1113465, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=9.0.0 <9.0.6" }, { "source": 1113466, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=10.0.0 <10.2.1" }, { "source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.3" }, { "source": 1113544, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=9.0.0 <9.0.7" }, { "source": 1113545, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=10.0.0 <10.2.3" }, { "source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.4" }, { "source": 1113552, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=9.0.0 <9.0.7" }, { "source": 1113553, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=10.0.0 <10.2.3" } ], "effects": [], "range": "<=3.1.3 || 9.0.0 - 9.0.6 || 10.0.0 - 10.2.2", "nodes": [ "node_modules/@compodoc/compodoc/node_modules/minimatch", "node_modules/@jest/reporters/node_modules/minimatch", "node_modules/@ts-morph/common/node_modules/minimatch", "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch", "node_modules/glob/node_modules/minimatch", "node_modules/jest-config/node_modules/minimatch", "node_modules/jest-runtime/node_modules/minimatch", "node_modules/minimatch", "node_modules/typeorm/node_modules/minimatch" ], "fixAvailable": true }, "multer": { "name": "multer", "severity": "high", "isDirect": true, "via": [ { "source": 1113635, "name": "multer", "dependency": "multer", "title": "Multer vulnerable to Denial of Service via incomplete cleanup", "url": "https://github.com/advisories/GHSA-xf7r-hgr6-v32p", "severity": "high", "cwe": [ "CWE-459" ], "cvss": { "score": 0, "vectorString": null }, "range": "<2.1.0" }, { "source": 1113636, "name": "multer", "dependency": "multer", "title": "Multer vulnerable to Denial of Service via resource exhaustion", "url": "https://github.com/advisories/GHSA-v52c-386h-88mc", "severity": "high", "cwe": [ "CWE-772" ], "cvss": { "score": 0, "vectorString": null }, "range": "<2.1.0" }, { "source": 1113996, "name": "multer", "dependency": "multer", "title": "Multer Vulnerable to Denial of Service via Uncontrolled Recursion", "url": "https://github.com/advisories/GHSA-5528-5vmv-3xc2", "severity": "high", "cwe": [ "CWE-674" ], "cvss": { "score": 0, "vectorString": null }, "range": "<2.1.1" } ], "effects": [ "@nestjs/platform-express" ], "range": "<=2.1.0", "nodes": [ "node_modules/multer" ], "fixAvailable": true }, "nodemailer": { "name": "nodemailer", "severity": "high", "isDirect": true, "via": [ { "source": 1113165, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls", "url": "https://github.com/advisories/GHSA-rcmh-qjqh-p98v", "severity": "high", "cwe": [ "CWE-703" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=7.0.10" }, { "source": 1115470, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter", "url": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8", "severity": "low", "cwe": [ "CWE-93" ], "cvss": { "score": 0, "vectorString": null }, "range": "<8.0.4" }, { "source": 1116270, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", "url": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g", "severity": "moderate", "cwe": [ "CWE-93" ], "cvss": { "score": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, "range": "<=8.0.4" } ], "effects": [], "range": "<=8.0.4", "nodes": [ "node_modules/nodemailer" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1115573, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups", "url": "https://github.com/advisories/GHSA-j3q9-mxjg-w52f", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.4.0" }, { "source": 1115582, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards", "url": "https://github.com/advisories/GHSA-27v5-c462-wpq7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.4.0" } ], "effects": [ "@nestjs/core", "@nestjs/platform-express", "@nestjs/swagger" ], "range": "8.0.0 - 8.3.0", "nodes": [ "node_modules/path-to-regexp" ], "fixAvailable": true }, "picomatch": { "name": "picomatch", "severity": "high", "isDirect": false, "via": [ { "source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<2.3.2" }, { "source": 1115551, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": ">=4.0.0 <4.0.4" }, { "source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.3.2" }, { "source": 1115554, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.0.4" } ], "effects": [ "@angular-devkit/core" ], "range": "<=2.3.1 || 4.0.0 - 4.0.3", "nodes": [ "node_modules/@compodoc/compodoc/node_modules/picomatch", "node_modules/@compodoc/live-server/node_modules/picomatch", "node_modules/anymatch/node_modules/picomatch", "node_modules/micromatch/node_modules/picomatch", "node_modules/picomatch", "node_modules/tinyglobby/node_modules/picomatch" ], "fixAvailable": { "name": "@compodoc/compodoc", "version": "1.1.23", "isSemVerMajor": true } }, "qs": { "name": "qs", "severity": "moderate", "isDirect": false, "via": [ { "source": 1113161, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in comma parsing allows denial of service", "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", "severity": "low", "cwe": [ "CWE-20" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.7.0 <=6.14.1" }, { "source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": [ "CWE-20" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<6.14.1" } ], "effects": [], "range": "<=6.14.1", "nodes": [ "node_modules/qs" ], "fixAvailable": true }, "serialize-javascript": { "name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [ { "source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": [ "CWE-96" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=7.0.2" }, { "source": 1115723, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects", "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v", "severity": "moderate", "cwe": [ "CWE-400", "CWE-834" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<7.0.5" } ], "effects": [ "terser-webpack-plugin" ], "range": "<=7.0.4", "nodes": [ "node_modules/serialize-javascript" ], "fixAvailable": true }, "socket.io-parser": { "name": "socket.io-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1115154, "name": "socket.io-parser", "dependency": "socket.io-parser", "title": "socket.io allows an unbounded number of binary attachments", "url": "https://github.com/advisories/GHSA-677m-j7p3-52f9", "severity": "high", "cwe": [ "CWE-754" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=4.0.0 <4.2.6" } ], "effects": [], "range": "4.0.0 - 4.2.5", "nodes": [ "node_modules/socket.io-parser" ], "fixAvailable": true }, "terser-webpack-plugin": { "name": "terser-webpack-plugin", "severity": "high", "isDirect": false, "via": [ "serialize-javascript" ], "effects": [], "range": "<=5.3.16", "nodes": [ "node_modules/terser-webpack-plugin" ], "fixAvailable": true }, "undici": { "name": "undici", "severity": "high", "isDirect": false, "via": [ { "source": 1112496, "name": "undici", "dependency": "undici", "title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion", "url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.23.0" }, { "source": 1112497, "name": "undici", "dependency": "undici", "title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion", "url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.18.2" }, { "source": 1114591, "name": "undici", "dependency": "undici", "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client", "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "severity": "high", "cwe": [ "CWE-248", "CWE-1284" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114593, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": [ "CWE-444" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114594, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": [ "CWE-444" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": "<6.24.0" }, { "source": 1114637, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": [ "CWE-409" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114638, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": [ "CWE-409" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.24.0" }, { "source": 1114639, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114640, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.24.0" }, { "source": 1114641, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": [ "CWE-93" ], "cvss": { "score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114642, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": [ "CWE-93" ], "cvss": { "score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, "range": "<6.24.0" } ], "effects": [ "@elastic/transport" ], "range": "<=6.23.0 || 7.0.0 - 7.23.0", "nodes": [ "node_modules/cheerio/node_modules/undici", "node_modules/undici" ], "fixAvailable": true }, "webpack": { "name": "webpack", "severity": "low", "isDirect": false, "via": [ { "source": 1113041, "name": "webpack", "dependency": "webpack", "title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior", "url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, "range": ">=5.49.0 <=5.104.0" }, { "source": 1113042, "name": "webpack", "dependency": "webpack", "title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence", "url": "https://github.com/advisories/GHSA-38r7-794h-5758", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, "range": ">=5.49.0 <5.104.0" } ], "effects": [ "@nestjs/cli" ], "range": "5.49.0 - 5.104.0", "nodes": [ "node_modules/@nestjs/cli/node_modules/webpack", "node_modules/webpack" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 2, "moderate": 19, "high": 35, "critical": 3, "total": 59 }, "dependencies": { "prod": 487, "dev": 819, "optional": 58, "peer": 32, "peerOptional": 0, "total": 1328 } } }