np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
lcbp3/backend/npm-audit-backend.json
T
admin 13745e5874
CI / CD Pipeline / build (push) Failing after 4m57s
Details
CI / CD Pipeline / deploy (push) Has been skipped
Details
690419:1831 feat: update CI/CD to use SSH key authentication #05
2026-04-19 18:31:30 +07:00

2173 lines
63 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"auditReportVersion": 2,
"vulnerabilities": {
"@angular-devkit/core": {
"name": "@angular-devkit/core",
"severity": "moderate",
"isDirect": false,
"via": [
"ajv",
"picomatch"
],
"effects": [
"@angular-devkit/schematics",
"@angular-devkit/schematics-cli",
"@nestjs/cli",
"@nestjs/schematics"
],
"range": "12.0.0-next.0 - 19.2.22 || 20.0.0-next.0 - 20.3.21 || 21.0.0-next.0 - 21.2.4 || 22.0.0-next.0 - 22.0.0-next.3",
"nodes": [
"node_modules/@angular-devkit/core",
"node_modules/@compodoc/compodoc/node_modules/@angular-devkit/core",
"node_modules/@nestjs/schematics/node_modules/@angular-devkit/core"
],
"fixAvailable": {
"name": "@compodoc/compodoc",
"version": "1.1.23",
"isSemVerMajor": true
}
},
"@angular-devkit/schematics": {
"name": "@angular-devkit/schematics",
"severity": "moderate",
"isDirect": false,
"via": [
"@angular-devkit/core"
],
"effects": [
"@compodoc/compodoc"
],
"range": "17.2.0-next.0 - 19.2.22 || 20.0.0-next.0 - 20.3.21 || 21.0.0-next.0 - 21.2.4 || 22.0.0-next.0 - 22.0.0-next.3",
"nodes": [
"node_modules/@angular-devkit/schematics",
"node_modules/@compodoc/compodoc/node_modules/@angular-devkit/schematics",
"node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics"
],
"fixAvailable": {
"name": "@compodoc/compodoc",
"version": "1.1.23",
"isSemVerMajor": true
}
},
"@angular-devkit/schematics-cli": {
"name": "@angular-devkit/schematics-cli",
"severity": "moderate",
"isDirect": false,
"via": [
"@angular-devkit/core",
"@angular-devkit/schematics"
],
"effects": [],
"range": "17.2.0-next.0 - 19.2.22 || 20.0.0-next.0 - 20.3.21 || 21.0.0-next.0 - 21.2.4 || 22.0.0-next.0 - 22.0.0-next.3",
"nodes": [
"node_modules/@angular-devkit/schematics-cli"
],
"fixAvailable": true
},
"@aws-sdk/client-sesv2": {
"name": "@aws-sdk/client-sesv2",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/credential-provider-node",
"@aws-sdk/middleware-user-agent",
"@aws-sdk/signature-v4-multi-region",
"@aws-sdk/util-user-agent-node"
],
"effects": [],
"range": "3.894.0 - 3.978.0",
"nodes": [
"node_modules/@aws-sdk/client-sesv2"
],
"fixAvailable": true
},
"@aws-sdk/client-sso": {
"name": "@aws-sdk/client-sso",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/middleware-user-agent",
"@aws-sdk/util-user-agent-node"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/client-sso"
],
"fixAvailable": true
},
"@aws-sdk/core": {
"name": "@aws-sdk/core",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/xml-builder"
],
"effects": [
"@aws-sdk/client-sesv2",
"@aws-sdk/client-sso",
"@aws-sdk/credential-provider-env",
"@aws-sdk/credential-provider-http",
"@aws-sdk/credential-provider-ini",
"@aws-sdk/credential-provider-login",
"@aws-sdk/credential-provider-process",
"@aws-sdk/credential-provider-sso",
"@aws-sdk/credential-provider-web-identity",
"@aws-sdk/middleware-sdk-s3",
"@aws-sdk/middleware-user-agent",
"@aws-sdk/nested-clients",
"@aws-sdk/token-providers"
],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/core"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-env": {
"name": "@aws-sdk/credential-provider-env",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-env"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-http": {
"name": "@aws-sdk/credential-provider-http",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core"
],
"effects": [
"@aws-sdk/credential-provider-node"
],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-http"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-ini": {
"name": "@aws-sdk/credential-provider-ini",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/credential-provider-env",
"@aws-sdk/credential-provider-http",
"@aws-sdk/credential-provider-login",
"@aws-sdk/credential-provider-process",
"@aws-sdk/credential-provider-sso",
"@aws-sdk/credential-provider-web-identity",
"@aws-sdk/nested-clients"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-ini"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-login": {
"name": "@aws-sdk/credential-provider-login",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/nested-clients"
],
"effects": [
"@aws-sdk/credential-provider-ini"
],
"range": "<=3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-login"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-node": {
"name": "@aws-sdk/credential-provider-node",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/credential-provider-env",
"@aws-sdk/credential-provider-http",
"@aws-sdk/credential-provider-ini",
"@aws-sdk/credential-provider-process",
"@aws-sdk/credential-provider-sso",
"@aws-sdk/credential-provider-web-identity"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-node"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-process": {
"name": "@aws-sdk/credential-provider-process",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-process"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-sso": {
"name": "@aws-sdk/credential-provider-sso",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/client-sso",
"@aws-sdk/core",
"@aws-sdk/token-providers"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-sso"
],
"fixAvailable": true
},
"@aws-sdk/credential-provider-web-identity": {
"name": "@aws-sdk/credential-provider-web-identity",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/nested-clients"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/credential-provider-web-identity"
],
"fixAvailable": true
},
"@aws-sdk/middleware-sdk-s3": {
"name": "@aws-sdk/middleware-sdk-s3",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core"
],
"effects": [
"@aws-sdk/signature-v4-multi-region"
],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/middleware-sdk-s3"
],
"fixAvailable": true
},
"@aws-sdk/middleware-user-agent": {
"name": "@aws-sdk/middleware-user-agent",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core"
],
"effects": [
"@aws-sdk/util-user-agent-node"
],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/middleware-user-agent"
],
"fixAvailable": true
},
"@aws-sdk/nested-clients": {
"name": "@aws-sdk/nested-clients",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/middleware-user-agent",
"@aws-sdk/util-user-agent-node"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/nested-clients"
],
"fixAvailable": true
},
"@aws-sdk/signature-v4-multi-region": {
"name": "@aws-sdk/signature-v4-multi-region",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/middleware-sdk-s3"
],
"effects": [
"@aws-sdk/client-sesv2"
],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/signature-v4-multi-region"
],
"fixAvailable": true
},
"@aws-sdk/token-providers": {
"name": "@aws-sdk/token-providers",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/core",
"@aws-sdk/nested-clients"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/token-providers"
],
"fixAvailable": true
},
"@aws-sdk/util-user-agent-node": {
"name": "@aws-sdk/util-user-agent-node",
"severity": "high",
"isDirect": false,
"via": [
"@aws-sdk/middleware-user-agent"
],
"effects": [],
"range": "3.894.0 - 3.972.0",
"nodes": [
"node_modules/@aws-sdk/util-user-agent-node"
],
"fixAvailable": true
},
"@aws-sdk/xml-builder": {
"name": "@aws-sdk/xml-builder",
"severity": "high",
"isDirect": false,
"via": [
"fast-xml-parser"
],
"effects": [
"@aws-sdk/core"
],
"range": "3.894.0 - 3.972.2",
"nodes": [
"node_modules/@aws-sdk/xml-builder"
],
"fixAvailable": true
},
"@casl/ability": {
"name": "@casl/ability",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1113148,
"name": "@casl/ability",
"dependency": "@casl/ability",
"title": "CASL Ability is Vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-x9vf-53q3-cvx6",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=2.4.0 <=6.7.4"
}
],
"effects": [],
"range": "2.4.0 - 6.7.3",
"nodes": [
"node_modules/@casl/ability"
],
"fixAvailable": true
},
"@compodoc/compodoc": {
"name": "@compodoc/compodoc",
"severity": "moderate",
"isDirect": true,
"via": [
"@angular-devkit/schematics"
],
"effects": [],
"range": ">=1.1.24",
"nodes": [
"node_modules/@compodoc/compodoc"
],
"fixAvailable": {
"name": "@compodoc/compodoc",
"version": "1.1.23",
"isSemVerMajor": true
}
},
"@elastic/elasticsearch": {
"name": "@elastic/elasticsearch",
"severity": "moderate",
"isDirect": true,
"via": [
"@elastic/transport"
],
"effects": [],
"range": "8.0.0-alpha.0 - 8.0.0-beta.1 || 8.6.1 || 8.7.3 || 8.8.2 || 8.9.2 || 8.10.1 || 8.11.1 || 8.12.3 || 8.13.1",
"nodes": [
"node_modules/@elastic/elasticsearch"
],
"fixAvailable": true
},
"@elastic/transport": {
"name": "@elastic/transport",
"severity": "moderate",
"isDirect": false,
"via": [
"undici"
],
"effects": [
"@elastic/elasticsearch"
],
"range": "<=8.4.1",
"nodes": [
"node_modules/@elastic/transport"
],
"fixAvailable": true
},
"@isaacs/brace-expansion": {
"name": "@isaacs/brace-expansion",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1112954,
"name": "@isaacs/brace-expansion",
"dependency": "@isaacs/brace-expansion",
"title": "@isaacs/brace-expansion has Uncontrolled Resource Consumption",
"url": "https://github.com/advisories/GHSA-7h2j-956f-4vf2",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=5.0.0"
}
],
"effects": [],
"range": "5.0.0",
"nodes": [
"node_modules/@isaacs/brace-expansion"
],
"fixAvailable": true
},
"@nestjs-modules/ioredis": {
"name": "@nestjs-modules/ioredis",
"severity": "moderate",
"isDirect": true,
"via": [
"@nestjs/terminus"
],
"effects": [],
"range": "1.2.0 - 2.0.2",
"nodes": [
"node_modules/@nestjs-modules/ioredis"
],
"fixAvailable": true
},
"@nestjs/cli": {
"name": "@nestjs/cli",
"severity": "moderate",
"isDirect": true,
"via": [
"@angular-devkit/core",
"@angular-devkit/schematics",
"@angular-devkit/schematics-cli",
"webpack"
],
"effects": [],
"range": "8.1.3 - 11.0.17 || >=12.0.0-alpha.0",
"nodes": [
"node_modules/@nestjs/cli"
],
"fixAvailable": true
},
"@nestjs/common": {
"name": "@nestjs/common",
"severity": "moderate",
"isDirect": true,
"via": [
"file-type"
],
"effects": [],
"range": "10.4.16 - 10.4.22 || 11.0.16 - 11.1.16 || >=12.0.0-alpha.0",
"nodes": [
"node_modules/@nestjs/common"
],
"fixAvailable": true
},
"@nestjs/config": {
"name": "@nestjs/config",
"severity": "moderate",
"isDirect": true,
"via": [
"lodash"
],
"effects": [],
"range": "1.1.6 - 4.0.2",
"nodes": [
"node_modules/@nestjs/config"
],
"fixAvailable": true
},
"@nestjs/core": {
"name": "@nestjs/core",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1116226,
"name": "@nestjs/core",
"dependency": "@nestjs/core",
"title": "@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')",
"url": "https://github.com/advisories/GHSA-36xv-jgw5-4q75",
"severity": "moderate",
"cwe": [
"CWE-74"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=11.1.17"
},
"path-to-regexp"
],
"effects": [
"@nestjs/terminus",
"@nestjs/typeorm"
],
"range": "<=11.1.17 || >=12.0.0-alpha.0",
"nodes": [
"node_modules/@nestjs/core"
],
"fixAvailable": true
},
"@nestjs/platform-express": {
"name": "@nestjs/platform-express",
"severity": "high",
"isDirect": true,
"via": [
"multer",
"path-to-regexp"
],
"effects": [],
"range": "<=11.1.17 || >=12.0.0-alpha.0",
"nodes": [
"node_modules/@nestjs/platform-express"
],
"fixAvailable": true
},
"@nestjs/schematics": {
"name": "@nestjs/schematics",
"severity": "moderate",
"isDirect": true,
"via": [
"@angular-devkit/core",
"@angular-devkit/schematics"
],
"effects": [],
"range": "10.1.2 - 11.0.9 || >=12.0.0-alpha.0",
"nodes": [
"node_modules/@nestjs/schematics"
],
"fixAvailable": true
},
"@nestjs/swagger": {
"name": "@nestjs/swagger",
"severity": "high",
"isDirect": true,
"via": [
"lodash",
"path-to-regexp"
],
"effects": [],
"range": "1.1.0 - 1.1.4 || 3.0.1 - 11.2.6",
"nodes": [
"node_modules/@nestjs/swagger"
],
"fixAvailable": true
},
"@nestjs/terminus": {
"name": "@nestjs/terminus",
"severity": "moderate",
"isDirect": false,
"via": [
"@nestjs/core",
"@nestjs/typeorm"
],
"effects": [
"@nestjs-modules/ioredis"
],
"range": "<=10.3.0",
"nodes": [
"node_modules/@nestjs-modules/ioredis/node_modules/@nestjs/terminus"
],
"fixAvailable": true
},
"@nestjs/typeorm": {
"name": "@nestjs/typeorm",
"severity": "moderate",
"isDirect": false,
"via": [
"@nestjs/core"
],
"effects": [
"@nestjs/terminus"
],
"range": "5.1.0 - 10.0.2",
"nodes": [
"node_modules/@nestjs-modules/ioredis/node_modules/@nestjs/typeorm"
],
"fixAvailable": true
},
"ajv": {
"name": "ajv",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1113714,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<6.14.0"
},
{
"source": 1113715,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=7.0.0-alpha.0 <8.18.0"
}
],
"effects": [
"@angular-devkit/core"
],
"range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0",
"nodes": [
"node_modules/@eslint/eslintrc/node_modules/ajv",
"node_modules/ajv",
"node_modules/eslint/node_modules/ajv",
"node_modules/schema-utils/node_modules/ajv"
],
"fixAvailable": {
"name": "@compodoc/compodoc",
"version": "1.1.23",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1113275,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <=1.13.4"
},
{
"source": 1116673,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": ">=1.0.0 <1.15.0"
},
{
"source": 1116675,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": ">=1.0.0 <1.15.0"
}
],
"effects": [],
"range": "1.0.0 - 1.14.0",
"nodes": [
"node_modules/axios"
],
"fixAvailable": true
},
"body-parser": {
"name": "body-parser",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1110858,
"name": "body-parser",
"dependency": "body-parser",
"title": "body-parser is vulnerable to denial of service when url encoding is used",
"url": "https://github.com/advisories/GHSA-wqch-xfxh-vrr4",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=2.2.0 <2.2.1"
}
],
"effects": [],
"range": "2.2.0",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115540,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<1.1.13"
},
{
"source": 1115541,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.3"
}
],
"effects": [],
"range": "<1.1.13 || >=2.0.0 <2.0.3",
"nodes": [
"node_modules/@jest/reporters/node_modules/brace-expansion",
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
"node_modules/brace-expansion",
"node_modules/jest-config/node_modules/brace-expansion",
"node_modules/jest-runtime/node_modules/brace-expansion",
"node_modules/typeorm/node_modules/brace-expansion"
],
"fixAvailable": true
},
"diff": {
"name": "diff",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1112704,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.0.4"
}
],
"effects": [],
"range": "4.0.0 - 4.0.3",
"nodes": [
"node_modules/diff"
],
"fixAvailable": true
},
"fast-xml-parser": {
"name": "fast-xml-parser",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1113153,
"name": "fast-xml-parser",
"dependency": "fast-xml-parser",
"title": "fast-xml-parser has RangeError DoS Numeric Entities Bug",
"url": "https://github.com/advisories/GHSA-37qj-frw5-hhjh",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-248"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.9 <=5.3.3"
},
{
"source": 1113568,
"name": "fast-xml-parser",
"dependency": "fast-xml-parser",
"title": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names",
"url": "https://github.com/advisories/GHSA-m7jm-9gc2-mpf2",
"severity": "critical",
"cwe": [
"CWE-185"
],
"cvss": {
"score": 9.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N"
},
"range": ">=5.0.0 <5.3.5"
},
{
"source": 1113569,
"name": "fast-xml-parser",
"dependency": "fast-xml-parser",
"title": "fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)",
"url": "https://github.com/advisories/GHSA-jmr7-xgp7-cmfj",
"severity": "high",
"cwe": [
"CWE-776"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.0 <5.3.6"
},
{
"source": 1114153,
"name": "fast-xml-parser",
"dependency": "fast-xml-parser",
"title": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder",
"url": "https://github.com/advisories/GHSA-fj3w-jwp8-x2g3",
"severity": "low",
"cwe": [
"CWE-120"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=5.0.0 <5.3.8"
},
{
"source": 1115339,
"name": "fast-xml-parser",
"dependency": "fast-xml-parser",
"title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)",
"url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r",
"severity": "high",
"cwe": [
"CWE-776"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.0 <5.5.6"
},
{
"source": 1116307,
"name": "fast-xml-parser",
"dependency": "fast-xml-parser",
"title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser",
"url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g",
"severity": "moderate",
"cwe": [
"CWE-1284"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.0 <5.5.7"
}
],
"effects": [
"@aws-sdk/xml-builder"
],
"range": "5.0.0 - 5.5.6",
"nodes": [
"node_modules/fast-xml-parser"
],
"fixAvailable": true
},
"file-type": {
"name": "file-type",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1114301,
"name": "file-type",
"dependency": "file-type",
"title": "file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header",
"url": "https://github.com/advisories/GHSA-5v7r-6r5c-r473",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=13.0.0 <21.3.1"
},
{
"source": 1114726,
"name": "file-type",
"dependency": "file-type",
"title": "file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry",
"url": "https://github.com/advisories/GHSA-j47w-4g3g-c36v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-409"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=20.0.0 <=21.3.1"
}
],
"effects": [
"@nestjs/common"
],
"range": "13.0.0 - 21.3.1",
"nodes": [
"node_modules/file-type"
],
"fixAvailable": true
},
"flatted": {
"name": "flatted",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114526,
"name": "flatted",
"dependency": "flatted",
"title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
"severity": "high",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.4.0"
},
{
"source": 1115357,
"name": "flatted",
"dependency": "flatted",
"title": "Prototype Pollution via parse() in NodeJS flatted",
"url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.1"
}
],
"effects": [],
"range": "<=3.4.1",
"nodes": [
"node_modules/flatted"
],
"fixAvailable": true
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1116560,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=1.15.11"
}
],
"effects": [],
"range": "<=1.15.11",
"nodes": [
"node_modules/follow-redirects"
],
"fixAvailable": true
},
"handlebars": {
"name": "handlebars",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1115538,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block",
"url": "https://github.com/advisories/GHSA-3mfm-83xf-c92r",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.7.8"
},
{
"source": 1115539,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has JavaScript Injection via AST Type Confusion",
"url": "https://github.com/advisories/GHSA-2w6w-674q-4c4q",
"severity": "critical",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.7.8"
},
{
"source": 1115544,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection",
"url": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-1321"
],
"cvss": {
"score": 4.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=4.0.0 <4.7.9"
},
{
"source": 1115588,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry",
"url": "https://github.com/advisories/GHSA-7rx3-28cr-v5wh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": ">=4.6.0 <=4.7.8"
},
{
"source": 1115589,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has a Property Access Validation Bypass in container.lookup",
"url": "https://github.com/advisories/GHSA-442j-39wm-28r2",
"severity": "low",
"cwe": [
"CWE-367"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=4.0.0 <=4.7.8"
},
{
"source": 1115692,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options",
"url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf",
"severity": "high",
"cwe": [
"CWE-79",
"CWE-94",
"CWE-116"
],
"cvss": {
"score": 8.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.7.8"
},
{
"source": 1115693,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial",
"url": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.7.8"
},
{
"source": 1115694,
"name": "handlebars",
"dependency": "handlebars",
"title": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation",
"url": "https://github.com/advisories/GHSA-9cx6-37pm-9jff",
"severity": "high",
"cwe": [
"CWE-754"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <=4.7.8"
}
],
"effects": [],
"range": "4.0.0 - 4.7.8",
"nodes": [
"node_modules/handlebars"
],
"fixAvailable": true
},
"jws": {
"name": "jws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1111244,
"name": "jws",
"dependency": "jws",
"title": "auth0/node-jws Improperly Verifies HMAC Signature",
"url": "https://github.com/advisories/GHSA-869p-cjfg-cm3x",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<3.2.3"
}
],
"effects": [],
"range": "<3.2.3",
"nodes": [
"node_modules/jws"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1112455,
"name": "lodash",
"dependency": "lodash",
"title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=4.0.0 <=4.17.22"
},
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"@nestjs/config",
"@nestjs/swagger"
],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113465,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=9.0.0 <9.0.6"
},
{
"source": 1113466,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=10.0.0 <10.2.1"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113544,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=9.0.0 <9.0.7"
},
{
"source": 1113545,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=10.0.0 <10.2.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
},
{
"source": 1113552,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=9.0.0 <9.0.7"
},
{
"source": 1113553,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=10.0.0 <10.2.3"
}
],
"effects": [],
"range": "<=3.1.3 || 9.0.0 - 9.0.6 || 10.0.0 - 10.2.2",
"nodes": [
"node_modules/@compodoc/compodoc/node_modules/minimatch",
"node_modules/@jest/reporters/node_modules/minimatch",
"node_modules/@ts-morph/common/node_modules/minimatch",
"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch",
"node_modules/glob/node_modules/minimatch",
"node_modules/jest-config/node_modules/minimatch",
"node_modules/jest-runtime/node_modules/minimatch",
"node_modules/minimatch",
"node_modules/typeorm/node_modules/minimatch"
],
"fixAvailable": true
},
"multer": {
"name": "multer",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1113635,
"name": "multer",
"dependency": "multer",
"title": "Multer vulnerable to Denial of Service via incomplete cleanup",
"url": "https://github.com/advisories/GHSA-xf7r-hgr6-v32p",
"severity": "high",
"cwe": [
"CWE-459"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.1.0"
},
{
"source": 1113636,
"name": "multer",
"dependency": "multer",
"title": "Multer vulnerable to Denial of Service via resource exhaustion",
"url": "https://github.com/advisories/GHSA-v52c-386h-88mc",
"severity": "high",
"cwe": [
"CWE-772"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.1.0"
},
{
"source": 1113996,
"name": "multer",
"dependency": "multer",
"title": "Multer Vulnerable to Denial of Service via Uncontrolled Recursion",
"url": "https://github.com/advisories/GHSA-5528-5vmv-3xc2",
"severity": "high",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.1.1"
}
],
"effects": [
"@nestjs/platform-express"
],
"range": "<=2.1.0",
"nodes": [
"node_modules/multer"
],
"fixAvailable": true
},
"nodemailer": {
"name": "nodemailer",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1113165,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailers addressparser is vulnerable to DoS caused by recursive calls",
"url": "https://github.com/advisories/GHSA-rcmh-qjqh-p98v",
"severity": "high",
"cwe": [
"CWE-703"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=7.0.10"
},
{
"source": 1115470,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter",
"url": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8",
"severity": "low",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<8.0.4"
},
{
"source": 1116270,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ",
"url": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g",
"severity": "moderate",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 4.9,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=8.0.4"
}
],
"effects": [],
"range": "<=8.0.4",
"nodes": [
"node_modules/nodemailer"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115573,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"url": "https://github.com/advisories/GHSA-j3q9-mxjg-w52f",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=8.0.0 <8.4.0"
},
{
"source": 1115582,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",
"url": "https://github.com/advisories/GHSA-27v5-c462-wpq7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=8.0.0 <8.4.0"
}
],
"effects": [
"@nestjs/core",
"@nestjs/platform-express",
"@nestjs/swagger"
],
"range": "8.0.0 - 8.3.0",
"nodes": [
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115551,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=4.0.0 <4.0.4"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
},
{
"source": 1115554,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.0.4"
}
],
"effects": [
"@angular-devkit/core"
],
"range": "<=2.3.1 || 4.0.0 - 4.0.3",
"nodes": [
"node_modules/@compodoc/compodoc/node_modules/picomatch",
"node_modules/@compodoc/live-server/node_modules/picomatch",
"node_modules/anymatch/node_modules/picomatch",
"node_modules/micromatch/node_modules/picomatch",
"node_modules/picomatch",
"node_modules/tinyglobby/node_modules/picomatch"
],
"fixAvailable": {
"name": "@compodoc/compodoc",
"version": "1.1.23",
"isSemVerMajor": true
}
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113161,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in comma parsing allows denial of service",
"url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.7.0 <=6.14.1"
},
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [],
"range": "<=6.14.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": true
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"terser-webpack-plugin"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": true
},
"socket.io-parser": {
"name": "socket.io-parser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115154,
"name": "socket.io-parser",
"dependency": "socket.io-parser",
"title": "socket.io allows an unbounded number of binary attachments",
"url": "https://github.com/advisories/GHSA-677m-j7p3-52f9",
"severity": "high",
"cwe": [
"CWE-754"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.2.6"
}
],
"effects": [],
"range": "4.0.0 - 4.2.5",
"nodes": [
"node_modules/socket.io-parser"
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "<=5.3.16",
"nodes": [
"node_modules/terser-webpack-plugin"
],
"fixAvailable": true
},
"undici": {
"name": "undici",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1112496,
"name": "undici",
"dependency": "undici",
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.23.0"
},
{
"source": 1112497,
"name": "undici",
"dependency": "undici",
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.18.2"
},
{
"source": 1114591,
"name": "undici",
"dependency": "undici",
"title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
"severity": "high",
"cwe": [
"CWE-248",
"CWE-1284"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.24.0"
},
{
"source": 1114593,
"name": "undici",
"dependency": "undici",
"title": "Undici has an HTTP Request/Response Smuggling issue",
"url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
"severity": "moderate",
"cwe": [
"CWE-444"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=7.0.0 <7.24.0"
},
{
"source": 1114594,
"name": "undici",
"dependency": "undici",
"title": "Undici has an HTTP Request/Response Smuggling issue",
"url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
"severity": "moderate",
"cwe": [
"CWE-444"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<6.24.0"
},
{
"source": 1114637,
"name": "undici",
"dependency": "undici",
"title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
"url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
"severity": "high",
"cwe": [
"CWE-409"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.24.0"
},
{
"source": 1114638,
"name": "undici",
"dependency": "undici",
"title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
"url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
"severity": "high",
"cwe": [
"CWE-409"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.24.0"
},
{
"source": 1114639,
"name": "undici",
"dependency": "undici",
"title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
"url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
"severity": "high",
"cwe": [
"CWE-248"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.24.0"
},
{
"source": 1114640,
"name": "undici",
"dependency": "undici",
"title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
"url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
"severity": "high",
"cwe": [
"CWE-248"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.24.0"
},
{
"source": 1114641,
"name": "undici",
"dependency": "undici",
"title": "Undici has CRLF Injection in undici via `upgrade` option",
"url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
"severity": "moderate",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 4.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=7.0.0 <7.24.0"
},
{
"source": 1114642,
"name": "undici",
"dependency": "undici",
"title": "Undici has CRLF Injection in undici via `upgrade` option",
"url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
"severity": "moderate",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 4.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<6.24.0"
}
],
"effects": [
"@elastic/transport"
],
"range": "<=6.23.0 || 7.0.0 - 7.23.0",
"nodes": [
"node_modules/cheerio/node_modules/undici",
"node_modules/undici"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113041,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",
"url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <=5.104.0"
},
{
"source": 1113042,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence",
"url": "https://github.com/advisories/GHSA-38r7-794h-5758",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <5.104.0"
}
],
"effects": [
"@nestjs/cli"
],
"range": "5.49.0 - 5.104.0",
"nodes": [
"node_modules/@nestjs/cli/node_modules/webpack",
"node_modules/webpack"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 19,
"high": 35,
"critical": 3,
"total": 59
},
"dependencies": {
"prod": 487,
"dev": 819,
"optional": 58,
"peer": 32,
"peerOptional": 0,
"total": 1328
}
}
}
Reference in New Issue View Git Blame Copy Permalink