fs-admin-0.12.0.tgz: 7 vulnerabilities (highest severity is: 9.8) #8
Description
Vulnerable Library - fs-admin-0.12.0.tgz
Path to dependency file: /script/package.json
Path to vulnerable library: /package.json,/script/package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (fs-admin version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|
| CVE-495493-603164 |  Critical |
9.8 | delegates-1.0.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2021-44906 | Critical |
9.8 | minimist-1.2.0.tgz | Transitive | 0.13.0 | ✅ | |
| CVE-2022-0355 |  High |
8.8 | simple-get-3.1.0.tgz | Transitive | 0.13.0 | ✅ | |
| CVE-2025-59343 | High |
7.5 | tar-fs-2.0.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2020-7598 |  Medium |
5.6 | minimist-1.2.0.tgz | Transitive | 0.13.0 | ✅ | |
| GHSA-g2q5-5433-rhrf | Medium |
5.5 | rc-1.2.8.tgz | Transitive | N/A* | ❌ | |
| GHSA-7fhm-mqm4-2wp7 | Medium |
5.5 | minimist-1.2.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-495493-603164
Vulnerable Library - delegates-1.0.0.tgz
delegate methods and accessors to another property
Library home page: https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz
Path to dependency file: /apm/package.json
Path to vulnerable library: /apm/package.json,/script/package.json,/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- npmlog-4.1.2.tgz
- are-we-there-yet-1.1.5.tgz
- ❌ delegates-1.0.0.tgz (Vulnerable Library)
- are-we-there-yet-1.1.5.tgz
- npmlog-4.1.2.tgz
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-495493-603164
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2021-44906
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /script/package.json
Path to vulnerable library: /script/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Mend Note:
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (fs-admin): 0.13.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0355
Vulnerable Library - simple-get-3.1.0.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ simple-get-3.1.0.tgz (Vulnerable Library)
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
Mend Note:
Publish Date: 2022-01-26
URL: CVE-2022-0355
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wpg7-2c88-r8xv
Release Date: 2022-01-26
Fix Resolution (simple-get): 3.1.1
Direct dependency fix Resolution (fs-admin): 0.13.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-59343
Vulnerable Library - tar-fs-2.0.0.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ tar-fs-2.0.0.tgz (Vulnerable Library)
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } Credit Reported by: Mapta / BugBunny_ai
Publish Date: 2025-09-24
URL: CVE-2025-59343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: 2025-09-24
Fix Resolution: tar-fs - 3.1.1,tar-fs - 1.16.5,tar-fs - 2.1.3
CVE-2020-7598
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /script/package.json
Path to vulnerable library: /script/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note:
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: 2020-03-11
Fix Resolution (minimist): 1.2.3
Direct dependency fix Resolution (fs-admin): 0.13.0
⛑️ Automatic Remediation will be attempted for this issue.
GHSA-g2q5-5433-rhrf
Vulnerable Library - rc-1.2.8.tgz
hardwired configuration loader
Library home page: https://registry.npmjs.org/rc/-/rc-1.2.8.tgz
Path to dependency file: /script/package.json
Path to vulnerable library: /script/package.json,/package.json,/apm/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ rc-1.2.8.tgz (Vulnerable Library)
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
The npm package "rc" had versions published with malicious code. Users of affected versions (1.2.9, 1.3.9, and 2.3.9) should downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Publish Date: 2025-07-14
URL: GHSA-g2q5-5433-rhrf
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
GHSA-7fhm-mqm4-2wp7
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /script/package.json
Path to vulnerable library: /script/package.json
Dependency Hierarchy:
- fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- prebuild-install-5.3.3.tgz
Found in base branch: electron-upgrade
Vulnerability Details
Withdrawn GitHub has withdrawn this advisory in place of GHSA-vh95-rmgr-6w4m and GHSA-6chw-6frg-f759. The reason for withdrawing is that some mistakes were made during the ingestion of CVE-2020-7598 which caused this advisory to be published with incorrect information. In order to provide accurate advisory information, new advisories were created: - minimist: GHSA-vh95-rmgr-6w4m - acorn: GHSA-6chw-6frg-f759
Publish Date: 2025-07-14
URL: GHSA-7fhm-mqm4-2wp7
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
⛑️Automatic Remediation will be attempted for this issue.