Skip to content
This repository was archived by the owner on Mar 6, 2025. It is now read-only.
This repository was archived by the owner on Mar 6, 2025. It is now read-only.

src/backend NPM Vulnerability Report #2048

Open
Open
src/backend NPM Vulnerability Report#2048
@github-actions

Description

@github-actions
github-actions
bot
opened on Sep 17, 2024

NPM Vulnerability Report - Tuesday, September 17th, 2024

NPM packages have been checked for vulnerabilities using npm audit.

HIGHEST_SEVERITY

⚠️ - 1 LOW severity vulnerabilities.
⚠️ - 8 MODERATE severity vulnerabilities.
⚠️ - 10 HIGH severity vulnerabilities.


@nestjs/cli_header

Severity: moderate
Vulnerable Range: 7.5.1-next.1 || 7.5.2-next.2 - 10.4.4

Via:

Expand to see vulnerability details.

Via webpack


Latest Available Version: 10.4.5

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update @nestjs/cli to 10.4.5.


@nestjs/core_header

Severity: high
Vulnerable Range: 5.2.0-next - 5.7.4 || 6.11.0-next.1 - 10.4.1

Via:

Expand to see vulnerability details.

Via path-to-regexp


Latest Available Version: 10.4.3

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update @nestjs/core to 10.4.3.


@nestjs/platform-express_header

Severity: high
Vulnerable Range: <=10.4.1

Via:

Expand to see vulnerability details.

Via body-parser

Via express


Latest Available Version: 10.4.3

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update @nestjs/platform-express to 10.4.3.


@nestjs/swagger_header

Severity: high
Vulnerable Range: 2.1.0 - 4.0.0 || 4.1.2 - 7.4.0

Via:

Expand to see vulnerability details.

Via path-to-regexp


Latest Available Version: 7.4.2

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update @nestjs/swagger to 7.4.2.


axios_header

Severity: high
Vulnerable Range: 1.3.2 - 1.7.3

Via:

Expand to see vulnerability details.

1: Server-Side Request Forgery in axios.

Severity: high
Vulnerable Range: >=1.3.2 <=1.7.3
CVSS Score: 0 / 10
Weaknesses: CWE-918

GitHub Advisory


Latest Available Version: 1.7.7

This dependency has a fix available, but axios is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of express available.

Update from version 4.18.2 to 4.21.0.

  • Direct dependency dotenv may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of dotenv available.

Update from version 16.3.1 to 16.4.5.

  • Direct dependency reflect-metadata may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of reflect-metadata available.

Update from version 0.1.14 to 0.2.2.

  • Direct dependency @nestjs/schematics may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @nestjs/schematics available.

Update from version 10.0.3 to 10.1.4.

  • Direct dependency source-map-support does NOT have a fix available.

  • Direct dependency tsconfig-paths does NOT have a fix available.

  • Direct dependency typescript may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of typescript available.

Update from version 5.3.3 to 5.6.2.

  • Direct dependency @types/node may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @types/node available.

Update from version 20.10.4 to 22.5.5.

  • Direct dependency rxjs does NOT have a fix available.

body-parser_header

Severity: high
Vulnerable Range: <1.20.3

Via:

Expand to see vulnerability details.

1: body-parser vulnerable to denial of service when url encoding is enabled.

Severity: high
Vulnerable Range: <1.20.3
CVSS Score: 7.5 / 10
Weaknesses: CWE-405

GitHub Advisory


Latest Available Version: 1.20.3

This dependency has a fix available, but body-parser is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency @nestjs/platform-express has a fix available. Install version 10.4.3 of @nestjs/platform-express.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.


braces_header

Severity: high
Vulnerable Range: <3.0.3

Via:

Expand to see vulnerability details.

1: Uncontrolled resource consumption in braces.

Severity: high
Vulnerable Range: <3.0.3
CVSS Score: 7.5 / 10
Weaknesses: CWE-400,CWE-1050

GitHub Advisory


Latest Available Version: 3.0.3

This dependency has a fix available, but braces is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express does NOT have a fix available.

  • Direct dependency dotenv does NOT have a fix available.

  • Direct dependency reflect-metadata does NOT have a fix available.

  • Direct dependency @nestjs/schematics does NOT have a fix available.

  • Direct dependency source-map-support does NOT have a fix available.

  • Direct dependency tsconfig-paths does NOT have a fix available.

  • Direct dependency typescript does NOT have a fix available.

  • Direct dependency @types/node does NOT have a fix available.

  • Direct dependency rxjs does NOT have a fix available.


elliptic_header

Severity: low
Vulnerable Range: 2.0.0 - 6.5.6

Via:

Expand to see vulnerability details.

1: Elliptic's EDDSA missing signature length check.

Severity: low
Vulnerable Range: >=4.0.0 <=6.5.6
CVSS Score: 5.3 / 10
Weaknesses: CWE-347

GitHub Advisory

2: Elliptic's ECDSA missing check for whether leading bit of r and s is zero.

Severity: low
Vulnerable Range: >=2.0.0 <=6.5.6
CVSS Score: 5.3 / 10
Weaknesses: CWE-130

GitHub Advisory

3: Elliptic allows BER-encoded signatures.

Severity: low
Vulnerable Range: >=5.2.1 <=6.5.6
CVSS Score: 5.3 / 10
Weaknesses: CWE-347

GitHub Advisory


Latest Available Version: 6.5.7

This dependency has a fix available, but elliptic is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of express available.

Update from version 4.18.2 to 4.21.0.

  • Direct dependency dotenv may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of dotenv available.

Update from version 16.3.1 to 16.4.5.

  • Direct dependency reflect-metadata may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of reflect-metadata available.

Update from version 0.1.14 to 0.2.2.

  • Direct dependency @nestjs/schematics may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @nestjs/schematics available.

Update from version 10.0.3 to 10.1.4.

  • Direct dependency source-map-support does NOT have a fix available.

  • Direct dependency tsconfig-paths does NOT have a fix available.

  • Direct dependency typescript may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of typescript available.

Update from version 5.3.3 to 5.6.2.

  • Direct dependency @types/node may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @types/node available.

Update from version 20.10.4 to 22.5.5.

  • Direct dependency rxjs does NOT have a fix available.

express_header

Severity: high
Vulnerable Range: <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3

Via:

Expand to see vulnerability details.

1: Express.js Open Redirect in malformed URLs.

Severity: moderate
Vulnerable Range: <4.19.2
CVSS Score: 6.1 / 10
Weaknesses: CWE-601,CWE-1286

GitHub Advisory

2: express vulnerable to XSS via response.redirect().

Severity: moderate
Vulnerable Range: <4.20.0
CVSS Score: 5 / 10
Weaknesses: CWE-79

GitHub Advisory

Via body-parser

Via path-to-regexp

Via send

Via serve-static


Latest Available Version: 4.21.0

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update express to 4.21.0.


follow-redirects_header

Severity: moderate
Vulnerable Range: <=1.15.5

Via:

Expand to see vulnerability details.

1: Follow Redirects improperly handles URLs in the url.parse() function.

Severity: moderate
Vulnerable Range: <1.15.4
CVSS Score: 6.1 / 10
Weaknesses: CWE-20,CWE-601

GitHub Advisory

2: follow-redirects' Proxy-Authorization header kept across hosts.

Severity: moderate
Vulnerable Range: <=1.15.5
CVSS Score: 6.5 / 10
Weaknesses: CWE-200

GitHub Advisory


Latest Available Version: 1.15.9

This dependency has a fix available, but follow-redirects is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of express available.

Update from version 4.18.2 to 4.21.0.

  • Direct dependency dotenv may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of dotenv available.

Update from version 16.3.1 to 16.4.5.

  • Direct dependency reflect-metadata may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of reflect-metadata available.

Update from version 0.1.14 to 0.2.2.

  • Direct dependency @nestjs/schematics may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @nestjs/schematics available.

Update from version 10.0.3 to 10.1.4.

  • Direct dependency source-map-support does NOT have a fix available.

  • Direct dependency tsconfig-paths does NOT have a fix available.

  • Direct dependency typescript may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of typescript available.

Update from version 5.3.3 to 5.6.2.

  • Direct dependency @types/node may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @types/node available.

Update from version 20.10.4 to 22.5.5.

  • Direct dependency rxjs does NOT have a fix available.

lint-staged_header

Severity: moderate
Vulnerable Range: 7.0.0 - 8.2.1 || 13.3.0 - 15.2.4

Via:

Expand to see vulnerability details.

Via micromatch


Latest Available Version: 15.2.10

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update lint-staged to 15.2.10.


micromatch_header

Severity: moderate
Vulnerable Range: <4.0.8

Via:

Expand to see vulnerability details.

1: Regular Expression Denial of Service (ReDoS) in micromatch.

Severity: moderate
Vulnerable Range: <4.0.8
CVSS Score: 5.3 / 10
Weaknesses: CWE-1333

GitHub Advisory


Latest Available Version: 4.0.8

This dependency has a fix available, but micromatch is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of express available.

Update from version 4.18.2 to 4.21.0.

  • Direct dependency dotenv may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of dotenv available.

Update from version 16.3.1 to 16.4.5.

  • Direct dependency reflect-metadata may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of reflect-metadata available.

Update from version 0.1.14 to 0.2.2.

  • Direct dependency @nestjs/schematics may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @nestjs/schematics available.

Update from version 10.0.3 to 10.1.4.

  • Direct dependency source-map-support does NOT have a fix available.

  • Direct dependency tsconfig-paths does NOT have a fix available.

  • Direct dependency typescript may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of typescript available.

Update from version 5.3.3 to 5.6.2.

  • Direct dependency @types/node may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @types/node available.

Update from version 20.10.4 to 22.5.5.

  • Direct dependency rxjs does NOT have a fix available.

  • Direct dependency lint-staged has a fix available. Install version 15.2.10 of lint-staged.

  • Direct dependency ts-loader has a fix available. Install version 9.5.1 of ts-loader.


path-to-regexp_header

Severity: high
Vulnerable Range: <=0.1.9 || 2.0.0 - 3.2.0

Via:

Expand to see vulnerability details.

1: path-to-regexp outputs backtracking regular expressions.

Severity: high
Vulnerable Range: >=2.0.0 <3.3.0
CVSS Score: 7.5 / 10
Weaknesses: CWE-1333

GitHub Advisory

2: path-to-regexp outputs backtracking regular expressions.

Severity: high
Vulnerable Range: <0.1.10
CVSS Score: 7.5 / 10
Weaknesses: CWE-1333

GitHub Advisory


Latest Available Version: 8.1.0

This dependency has a fix available, but path-to-regexp is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency @nestjs/core has a fix available. Install version 10.4.3 of @nestjs/core.

  • Direct dependency @nestjs/swagger has a fix available. Install version 7.4.2 of @nestjs/swagger.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.


pug_header

Severity: moderate
Vulnerable Range: <=3.0.2

Via:

Expand to see vulnerability details.

1: Pug allows JavaScript code execution if an application accepts untrusted input.

Severity: moderate
Vulnerable Range: <=3.0.2
CVSS Score: 6.8 / 10
Weaknesses: CWE-94

GitHub Advisory


Latest Available Version: 3.0.3

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update pug to 3.0.3.


puppeteer_header

Severity: high
Vulnerable Range: 11.0.0 - 18.1.0

Via:

Expand to see vulnerability details.

Via ws


Latest Available Version: 23.3.1

This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:

Update puppeteer to 23.3.1.


send_header

Severity: moderate
Vulnerable Range: <0.19.0

Via:

Expand to see vulnerability details.

1: send vulnerable to template injection that can lead to XSS.

Severity: moderate
Vulnerable Range: <0.19.0
CVSS Score: 5 / 10
Weaknesses: CWE-79

GitHub Advisory


Latest Available Version: 0.19.0

This dependency has a fix available, but send is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.

  • Direct dependency express may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of express available.

Update from version 4.18.2 to 4.21.0.

  • Direct dependency dotenv may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of dotenv available.

Update from version 16.3.1 to 16.4.5.

  • Direct dependency reflect-metadata may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of reflect-metadata available.

Update from version 0.1.14 to 0.2.2.

  • Direct dependency @nestjs/schematics may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @nestjs/schematics available.

Update from version 10.0.3 to 10.1.4.

  • Direct dependency source-map-support does NOT have a fix available.

  • Direct dependency tsconfig-paths does NOT have a fix available.

  • Direct dependency typescript may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of typescript available.

Update from version 5.3.3 to 5.6.2.

  • Direct dependency @types/node may have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of @types/node available.

Update from version 20.10.4 to 22.5.5.

  • Direct dependency rxjs does NOT have a fix available.

serve-static_header

Severity: moderate
Vulnerable Range: <=1.16.0

Via:

Expand to see vulnerability details.

1: serve-static vulnerable to template injection that can lead to XSS.

Severity: moderate
Vulnerable Range: <1.16.0
CVSS Score: 5 / 10
Weaknesses: CWE-79

GitHub Advisory

Via send


Latest Available Version: 1.16.2

This dependency has a fix available, but serve-static is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency express has a fix available. Install version 4.21.0 of express.

webpack_header

Severity: moderate
Vulnerable Range: 5.0.0-alpha.0 - 5.93.0

Via:

Expand to see vulnerability details.

1: Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS.

Severity: moderate
Vulnerable Range: >=5.0.0-alpha.0 <5.94.0
CVSS Score: 6.4 / 10
Weaknesses: CWE-79

GitHub Advisory


Latest Available Version: 5.94.0

This dependency has a fix available, but webpack is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency @nestjs/cli has a fix available. Install version 10.4.5 of @nestjs/cli.

ws_header

Severity: high
Vulnerable Range: 8.0.0 - 8.17.0

Via:

Expand to see vulnerability details.

1: ws affected by a DoS when handling a request with many HTTP headers.

Severity: high
Vulnerable Range: >=8.0.0 <8.17.1
CVSS Score: 7.5 / 10
Weaknesses: CWE-476

GitHub Advisory


Latest Available Version: 8.18.0

This dependency has a fix available, but ws is NOT a direct dependency in your package.json.
See affected dependencies below:

Expand to see direct dependencies affacted by this vulnerability.

  • Direct dependency puppeteer has a fix available. Install version 23.3.1 of puppeteer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions