Skip to content

fs-admin-0.19.0.tgz: 4 vulnerabilities (highest severity is: 9.8) #76

New issue
New issue
Open
Open
fs-admin-0.19.0.tgz: 4 vulnerabilities (highest severity is: 9.8)#76
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Jan 26, 2025
Vulnerable Library - fs-admin-0.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/apm/package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (fs-admin version) Remediation Possible** Reachability
CVE-289561-266276 Critical 9.8 inherits-2.0.4.tgz Transitive N/A*
CVE-2022-0355 High 8.8 simple-get-3.1.0.tgz Transitive 0.20.0
CVE-2025-59343 High 7.5 tar-fs-2.1.1.tgz Transitive N/A*
GHSA-g2q5-5433-rhrf Medium 5.5 rc-1.2.8.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-289561-266276

Vulnerable Library - inherits-2.0.4.tgz

Browser-friendly inheritance fully compatible with standard node.js inherits()

Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz

Path to dependency file: /packages/dev-live-reload/package.json

Path to vulnerable library: /packages/dev-live-reload/node_modules/inherits/package.json,/package.json,/packages/exception-reporting/node_modules/inherits/package.json,/apm/package.json,/packages/deprecation-cop/node_modules/inherits/package.json,/packages/git-diff/node_modules/inherits/package.json,/script/update-server/package.json,/script/package.json

Dependency Hierarchy:

  • fs-admin-0.19.0.tgz (Root Library)
    • prebuild-install-6.1.3.tgz
      • tar-fs-2.1.1.tgz
        • tar-stream-2.2.0.tgz
          • inherits-2.0.4.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-289561-266276

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-0355

Vulnerable Library - simple-get-3.1.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/script/package.json

Dependency Hierarchy:

  • fs-admin-0.19.0.tgz (Root Library)
    • prebuild-install-6.1.3.tgz
      • simple-get-3.1.0.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
Mend Note:

Publish Date: 2022-01-26

URL: CVE-2022-0355

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wpg7-2c88-r8xv

Release Date: 2022-01-26

Fix Resolution (simple-get): 3.1.1

Direct dependency fix Resolution (fs-admin): 0.20.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-59343

Vulnerable Library - tar-fs-2.1.1.tgz

filesystem bindings for tar-stream

Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/apm/package.json

Dependency Hierarchy:

  • fs-admin-0.19.0.tgz (Root Library)
    • prebuild-install-6.1.3.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } Credit Reported by: Mapta / BugBunny_ai

Publish Date: 2025-09-24

URL: CVE-2025-59343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vj76-c3g6-qr5v

Release Date: 2025-09-24

Fix Resolution: tar-fs - 3.1.1,tar-fs - 1.16.5,tar-fs - 2.1.3

GHSA-g2q5-5433-rhrf

Vulnerable Library - rc-1.2.8.tgz

hardwired configuration loader

Library home page: https://registry.npmjs.org/rc/-/rc-1.2.8.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/package.json,/package.json,/apm/package.json

Dependency Hierarchy:

  • fs-admin-0.19.0.tgz (Root Library)
    • prebuild-install-6.1.3.tgz
      • rc-1.2.8.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

The npm package "rc" had versions published with malicious code. Users of affected versions (1.2.9, 1.3.9, and 2.3.9) should downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Publish Date: 2025-07-14

URL: GHSA-g2q5-5433-rhrf

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions