react-scripts-1.0.17.tgz: 97 vulnerabilities (highest severity is: 9.8) #37
Description
Vulnerable Library - react-scripts-1.0.17.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/packaging/systemjs-builder/prod/node_modules/es5-ext/package.json,/fixtures/packaging/systemjs-builder/dev/node_modules/es5-ext/package.json,/fixtures/expiration/node_modules/es5-ext/package.json
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Vulnerabilities
| CVE | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (react-scripts version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-42282 |  Critical |
9.8 | Not Defined | 0.1% | ip-1.1.5.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2023-26136 | Critical |
9.8 | Not Defined | 0.1% | tough-cookie-2.3.3.tgz | Transitive | 4.0.0 | ❌ | |
| CVE-2022-37601 | Critical |
9.8 | Not Defined | 0.70000005% | detected in multiple dependencies | Transitive | 4.0.0 | ✅ | |
| CVE-2022-37598 | Critical |
9.8 | Not Defined | 0.5% | uglify-js-3.7.3.tgz | Transitive | 3.3.1 | ❌ | |
| CVE-2022-0691 | Critical |
9.8 | Not Defined | 0.3% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2021-44906 | Critical |
9.8 | Not Defined | 1.2% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2021-42740 | Critical |
9.8 | Not Defined | 0.2% | shell-quote-1.6.1.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2021-3918 | Critical |
9.8 | Not Defined | 0.4% | json-schema-0.2.3.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2021-23383 | Critical |
9.8 | Not Defined | 3.3% | handlebars-4.5.3.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2021-23369 | Critical |
9.8 | Not Defined | 14.900001% | handlebars-4.5.3.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2020-7788 | Critical |
9.8 | Not Defined | 1.2% | ini-1.3.4.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2020-28499 | Critical |
9.8 | Not Defined | 0.4% | merge-1.2.0.tgz | Transitive | 3.0.0 | ❌ | |
| CVE-2018-6342 | Critical |
9.8 | Not Defined | 0.2% | react-dev-utils-4.2.1.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2018-3774 | Critical |
9.8 | Not Defined | 0.3% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2018-16492 | Critical |
9.8 | Not Defined | 0.4% | extend-3.0.1.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2018-13797 | Critical |
9.8 | Not Defined | 0.3% | macaddress-0.2.8.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2018-1000620 | Critical |
9.8 | Not Defined | 0.2% | cryptiles-3.1.2.tgz | Transitive | 1.1.1 | ✅ | |
| CVE-2022-1650 | Critical |
9.3 | Not Defined | 0.2% | eventsource-0.1.6.tgz | Transitive | 2.1.3 | ✅ | |
| CVE-2022-0686 | Critical |
9.1 | Not Defined | 0.2% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2019-10744 | Critical |
9.1 | Not Defined | 1.5% | lodash.template-4.4.0.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2023-45133 |  High |
8.8 | Not Defined | 0.1% | babel-traverse-6.26.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-46175 | High |
8.8 | Not Defined | 0.6% | json5-0.5.1.tgz | Transitive | 3.0.0 | ✅ | |
| WS-2019-0063 | High |
8.1 | Not Defined | detected in multiple dependencies | Transitive | 2.0.0 | ✅ | ||
| CVE-2021-43138 | High |
7.8 | Not Defined | 0.1% | async-2.6.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2020-13822 | High |
7.7 | Not Defined | 0.4% | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ | |
| WS-2021-0152 | High |
7.5 | Not Defined | color-string-0.3.0.tgz | Transitive | 2.0.0 | ✅ | ||
| WS-2020-0450 | High |
7.5 | Not Defined | handlebars-4.5.3.tgz | Transitive | 1.1.0 | ✅ | ||
| WS-2019-0541 | High |
7.5 | Not Defined | macaddress-0.2.8.tgz | Transitive | 1.1.0 | ❌ | ||
| WS-2019-0032 | High |
7.5 | Not Defined | detected in multiple dependencies | Transitive | 2.0.0 | ✅ | ||
| CVE-2024-4068 | High |
7.5 | Not Defined | 0.0% | braces-1.8.5.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-37620 | High |
7.5 | Not Defined | 0.1% | html-minifier-3.5.6.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-37603 | High |
7.5 | Not Defined | 0.6% | loader-utils-1.1.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2022-3517 | High |
7.5 | Not Defined | 0.2% | minimatch-3.0.3.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-29167 | High |
7.5 | Not Defined | 0.1% | hawk-6.0.2.tgz | Transitive | 1.1.1 | ✅ | |
| CVE-2022-24999 | High |
7.5 | Not Defined | 0.9% | qs-6.5.1.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2022-24772 | High |
7.5 | Not Defined | 0.1% | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2022-24771 | High |
7.5 | Not Defined | 0.1% | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2021-3803 | High |
7.5 | Not Defined | 0.2% | nth-check-1.0.1.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2021-3777 | High |
7.5 | Not Defined | 0.1% | tmpl-1.0.4.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2021-33623 | High |
7.5 | Not Defined | 0.2% | trim-newlines-1.0.0.tgz | Transitive | 2.0.1 | ❌ | |
| CVE-2021-29059 | High |
7.5 | Not Defined | 0.4% | is-svg-2.1.0.tgz | Transitive | 2.0.0 | ✅ | |
| CVE-2021-28092 | High |
7.5 | Not Defined | 0.2% | is-svg-2.1.0.tgz | Transitive | 2.0.0 | ✅ | |
| CVE-2021-27516 | High |
7.5 | Not Defined | 0.2% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2021-23424 | High |
7.5 | Not Defined | 0.2% | ansi-html-0.0.7.tgz | Transitive | 5.0.0 | ❌ | |
| CVE-2021-23382 | High |
7.5 | Not Defined | 0.2% | detected in multiple dependencies | Transitive | 3.0.0 | ✅ | |
| CVE-2021-23343 | High |
7.5 | Not Defined | 0.3% | path-parse-1.0.5.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2020-7662 | High |
7.5 | Not Defined | 0.2% | websocket-extensions-0.1.3.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2020-28469 | High |
7.5 | Not Defined | 1.2% | glob-parent-2.0.0.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2018-3737 | High |
7.5 | Not Defined | 0.2% | sshpk-1.13.1.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2018-16469 | High |
7.5 | Not Defined | 0.1% | merge-1.2.0.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2018-14732 | High |
7.5 | Not Defined | 0.3% | webpack-dev-server-2.9.4.tgz | Transitive | 2.0.0 | ✅ | |
| WS-2018-0588 | High |
7.4 | Not Defined | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | ||
| CVE-2020-8116 | High |
7.3 | Not Defined | 0.2% | dot-prop-3.0.0.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2020-7720 | High |
7.3 | Not Defined | 0.2% | node-forge-0.6.33.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2018-3750 | High |
7.3 | Not Defined | 0.3% | deep-extend-0.4.2.tgz | Transitive | 1.1.0 | ✅ | |
| WS-2018-0590 | High |
7.1 | Not Defined | diff-3.4.0.tgz | Transitive | 1.1.0 | ✅ | ||
| CVE-2020-28498 |  Medium |
6.8 | Not Defined | 0.1% | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ | |
| WS-2022-0008 | Medium |
6.6 | Not Defined | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ✅ | ||
| CVE-2022-0613 | Medium |
6.5 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2021-23386 | Medium |
6.5 | Not Defined | 0.1% | dns-packet-1.2.2.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2020-26291 | Medium |
6.5 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2018-21270 | Medium |
6.5 | Not Defined | 0.2% | stringstream-0.0.5.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2024-29041 | Medium |
6.1 | Not Defined | 0.0% | express-4.16.2.tgz | Transitive | N/A* | ❌ | |
| CVE-2023-28155 | Medium |
6.1 | Not Defined | 0.1% | request-2.83.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-1243 | Medium |
6.1 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2022-1233 | Medium |
6.1 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2022-0868 | Medium |
6.1 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2022-0122 | Medium |
6.1 | Not Defined | 0.1% | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2021-3647 | Medium |
6.1 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| WS-2019-0427 | Medium |
5.9 | Not Defined | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ | ||
| WS-2019-0424 | Medium |
5.9 | Not Defined | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ | ||
| CVE-2021-24033 | Medium |
5.6 | Not Defined | 0.2% | react-dev-utils-4.2.1.tgz | Transitive | 4.0.0 | ✅ | |
| CVE-2020-7789 | Medium |
5.6 | Not Defined | 0.2% | node-notifier-5.1.2.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2020-7598 | Medium |
5.6 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2020-15366 | Medium |
5.6 | Not Defined | 0.3% | ajv-5.3.0.tgz | Transitive | 2.0.0 | ✅ | |
| CVE-2024-29415 | Medium |
5.5 | Not Defined | ip-1.1.5.tgz | Transitive | N/A* | ❌ | ||
| WS-2019-0017 | Medium |
5.3 | Not Defined | clean-css-4.1.9.tgz | Transitive | 1.1.0 | ✅ | ||
| WS-2018-0347 | Medium |
5.3 | Not Defined | eslint-4.10.0.tgz | Transitive | 2.0.0 | ✅ | ||
| WS-2017-3757 | Medium |
5.3 | Not Defined | content-type-parser-1.0.2.tgz | Transitive | N/A* | ❌ | ||
| CVE-2024-4067 | Medium |
5.3 | Not Defined | 0.0% | micromatch-2.3.11.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2022-33987 | Medium |
5.3 | Not Defined | 0.1% | got-5.7.1.tgz | Transitive | 2.0.1 | ❌ | |
| CVE-2022-24773 | Medium |
5.3 | Not Defined | 0.1% | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ✅ | |
| CVE-2022-24723 | Medium |
5.3 | Not Defined | 0.1% | urijs-1.19.0.tgz | Transitive | 1.1.0 | ✅ | |
| CVE-2022-0639 | Medium |
5.3 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2022-0512 | Medium |
5.3 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2021-3664 | Medium |
5.3 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2021-29060 | Medium |
5.3 | Not Defined | 0.2% | color-string-0.3.0.tgz | Transitive | 2.0.0 | ✅ | |
| CVE-2021-27515 | Medium |
5.3 | Not Defined | 0.2% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2021-23362 | Medium |
5.3 | Not Defined | 0.3% | hosted-git-info-2.5.0.tgz | Transitive | 1.1.0 | ❌ | |
| CVE-2020-8124 | Medium |
5.3 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 1.1.0 | ✅ | |
| CVE-2020-7693 | Medium |
5.3 | Not Defined | 0.6% | sockjs-0.3.18.tgz | Transitive | 3.4.2 | ✅ | |
| CVE-2020-7608 | Medium |
5.3 | Not Defined | 0.0% | detected in multiple dependencies | Transitive | 2.0.0 | ✅ | |
| CVE-2017-16028 | Medium |
5.3 | Not Defined | 0.1% | randomatic-1.1.7.tgz | Transitive | 1.1.0 | ✅ | |
| WS-2019-0307 | Medium |
5.1 | Not Defined | mem-1.1.0.tgz | Transitive | 2.0.0 | ✅ | ||
| WS-2018-0103 | Medium |
4.8 | Not Defined | stringstream-0.0.5.tgz | Transitive | 1.1.0 | ✅ | ||
| WS-2018-0589 |  Low |
3.7 | Not Defined | nwmatcher-1.4.3.tgz | Transitive | 1.1.0 | ✅ | ||
| CVE-2024-27088 | Low |
0.0 | Not Defined | 0.0% | es5-ext-0.10.35.tgz | Transitive | 1.1.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (12 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2023-42282
Vulnerable Library - ip-1.1.5.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- webpack-dev-server-2.9.4.tgz
- ❌ ip-1.1.5.tgz (Vulnerable Library)
- webpack-dev-server-2.9.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (react-scripts): 1.1.0
CVE-2023-26136
Vulnerable Library - tough-cookie-2.3.3.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.3.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-environment-jsdom-20.0.3.tgz
- jsdom-9.12.0.tgz
- ❌ tough-cookie-2.3.3.tgz (Vulnerable Library)
- jsdom-9.12.0.tgz
- jest-environment-jsdom-20.0.3.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (react-scripts): 4.0.0
CVE-2022-37601
Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz
loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack/dev/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/dev/node_modules/loader-utils/package.json,/fixtures/expiration/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/fixtures/concurrent/time-slicing/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- html-webpack-plugin-2.29.0.tgz
- ❌ loader-utils-0.2.17.tgz (Vulnerable Library)
- html-webpack-plugin-2.29.0.tgz
loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/loader-utils/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- webpack-3.8.1.tgz
- ❌ loader-utils-1.1.0.tgz (Vulnerable Library)
- webpack-3.8.1.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-37598
Vulnerable Library - uglify-js-3.7.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.3.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- handlebars-4.5.3.tgz
- ❌ uglify-js-3.7.3.tgz (Vulnerable Library)
- handlebars-4.5.3.tgz
- istanbul-reports-1.1.3.tgz
- istanbul-api-1.2.1.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (react-scripts): 3.3.1
CVE-2022-0691
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/original/node_modules/url-parse/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- sockjs-client-1.1.4.tgz
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
- sockjs-client-1.1.4.tgz
- react-dev-utils-4.2.1.tgz
url-parse-1.2.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/url-parse/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- sockjs-client-1.1.4.tgz
- ❌ url-parse-1.2.0.tgz (Vulnerable Library)
- sockjs-client-1.1.4.tgz
- react-dev-utils-4.2.1.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-44906
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- babel-loader-7.1.2.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- babel-loader-7.1.2.tgz
minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- handlebars-4.5.3.tgz
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
- handlebars-4.5.3.tgz
- istanbul-reports-1.1.3.tgz
- istanbul-api-1.2.1.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /fixtures/packaging/browserify/dev/package.json
Path to vulnerable library: /fixtures/packaging/browserify/dev/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/packaging/browserify/prod/node_modules/minimist/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- postcss-loader-2.0.8.tgz
- postcss-load-config-1.2.0.tgz
- cosmiconfig-2.2.2.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- cosmiconfig-2.2.2.tgz
- postcss-load-config-1.2.0.tgz
- postcss-loader-2.0.8.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-42740
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /fixtures/expiration/package.json
Path to vulnerable library: /fixtures/expiration/node_modules/shell-quote/package.json,/node_modules/fx-runner/node_modules/shell-quote/package.json,/fixtures/concurrent/time-slicing/node_modules/shell-quote/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- ❌ shell-quote-1.6.1.tgz (Vulnerable Library)
- react-dev-utils-4.2.1.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/prod/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/prod/package.json,/scripts/bench/node_modules/json-schema/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/expiration/node_modules/json-schema/package.json,/fixtures/packaging/webpack/prod/package.json,/fixtures/concurrent/time-slicing/node_modules/json-schema/package.json,/node_modules/json-schema/package.json,/fixtures/attribute-behavior/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-environment-jsdom-20.0.3.tgz
- jsdom-9.12.0.tgz
- request-2.83.0.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
- jsprim-1.4.1.tgz
- http-signature-1.2.0.tgz
- request-2.83.0.tgz
- jsdom-9.12.0.tgz
- jest-environment-jsdom-20.0.3.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23383
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- ❌ handlebars-4.5.3.tgz (Vulnerable Library)
- istanbul-reports-1.1.3.tgz
- istanbul-api-1.2.1.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23369
Vulnerable Library - handlebars-4.5.3.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /fixtures/attribute-behavior/package.json
Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- ❌ handlebars-4.5.3.tgz (Vulnerable Library)
- istanbul-reports-1.1.3.tgz
- istanbul-api-1.2.1.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 14.900001%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7788
Vulnerable Library - ini-1.3.4.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz
Path to dependency file: /fixtures/packaging/webpack-alias/dev/package.json
Path to vulnerable library: /fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/dev/package.json,/scripts/bench/node_modules/ini/package.json,/fixtures/expiration/node_modules/ini/package.json,/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- sw-precache-webpack-plugin-0.11.4.tgz
- sw-precache-5.2.0.tgz
- update-notifier-1.0.3.tgz
- latest-version-2.0.0.tgz
- package-json-2.4.0.tgz
- registry-auth-token-3.3.1.tgz
- rc-1.2.2.tgz
- ❌ ini-1.3.4.tgz (Vulnerable Library)
- rc-1.2.2.tgz
- registry-auth-token-3.3.1.tgz
- package-json-2.4.0.tgz
- latest-version-2.0.0.tgz
- update-notifier-1.0.3.tgz
- sw-precache-5.2.0.tgz
- sw-precache-webpack-plugin-0.11.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (react-scripts): 1.1.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-28499
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-haste-map-20.0.5.tgz
- sane-1.6.0.tgz
- exec-sh-0.2.1.tgz
- ❌ merge-1.2.0.tgz (Vulnerable Library)
- exec-sh-0.2.1.tgz
- sane-1.6.0.tgz
- jest-haste-map-20.0.5.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.
Publish Date: 2021-02-18
URL: CVE-2020-28499
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (react-scripts): 3.0.0
In order to enable automatic remediation for this issue, please create workflow rules