marko-cli-6.0.0-beta.4.tgz: 35 vulnerabilities (highest severity is: 10.0)

[mend-for-garden.eu.org]

Vulnerable Library - marko-cli-6.0.0-beta.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (marko-cli version)	Remediation Possible**
CVE-2022-2421	Critical	10.0	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-44906	Critical	9.8	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-42740	Critical	9.8	shell-quote-1.7.2.tgz	Transitive	N/A*	❌
CVE-2021-31597	Critical	9.4	xmlhttprequest-ssl-1.5.5.tgz	Transitive	N/A*	❌
WS-2020-0443	High	8.1	socket.io-2.3.0.tgz	Transitive	N/A*	❌
CVE-2020-28502	High	8.1	xmlhttprequest-ssl-1.5.5.tgz	Transitive	N/A*	❌
CVE-2021-43138	High	7.8	async-2.6.3.tgz	Transitive	N/A*	❌
WS-2020-0091	High	7.5	http-proxy-1.18.0.tgz	Transitive	N/A*	❌
CVE-2024-4068	High	7.5	braces-1.8.5.tgz	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-2.3.3.tgz	Transitive	N/A*	❌
CVE-2020-36049	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2020-36048	High	7.5	engine.io-3.4.1.tgz	Transitive	N/A*	❌
CVE-2019-10775	High	7.5	ecstatic-2.2.2.tgz	Transitive	N/A*	❌
CVE-2017-1000048	High	7.5	qs-2.3.3.tgz	Transitive	N/A*	❌
CVE-2024-38355	High	7.3	socket.io-2.3.0.tgz	Transitive	N/A*	❌
CVE-2023-32695	High	7.3	socket.io-parser-3.4.0.tgz	Transitive	N/A*	❌
CVE-2023-26159	High	7.3	follow-redirects-1.11.0.tgz	Transitive	N/A*	❌
CVE-2021-23518	High	7.3	cached-path-relative-1.0.2.tgz	Transitive	N/A*	❌
CVE-2022-41940	High	7.1	engine.io-3.4.1.tgz	Transitive	N/A*	❌
CVE-2024-28849	Medium	6.5	follow-redirects-1.11.0.tgz	Transitive	N/A*	❌
CVE-2022-0155	Medium	6.5	follow-redirects-1.11.0.tgz	Transitive	N/A*	❌
CVE-2020-8244	Medium	6.5	bl-1.2.2.tgz	Transitive	N/A*	❌
CVE-2024-29041	Medium	6.1	express-4.17.1.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2020-7598	Medium	5.6	minimist-0.0.10.tgz	Transitive	N/A*	❌
CVE-2024-47764	Medium	5.3	cookie-0.3.1.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	micromatch-2.3.11.tgz	Transitive	N/A*	❌
CVE-2022-25858	Medium	5.3	terser-3.17.0.tgz	Transitive	N/A*	❌
CVE-2021-32640	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2020-28481	Medium	5.3	socket.io-2.3.0.tgz	Transitive	N/A*	❌
CVE-2024-43799	Medium	5.0	send-0.16.2.tgz	Transitive	N/A*	❌
CVE-2017-16137	Low	3.7	debug-4.1.1.tgz	Transitive	N/A*	❌
CVE-2022-0536	Low	2.6	follow-redirects-1.11.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-2421

Vulnerable Libraries - socket.io-parser-3.4.0.tgz, socket.io-parser-3.3.0.tgz

socket.io-parser-3.4.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • ❌ socket.io-parser-3.4.0.tgz (Vulnerable Library)

socket.io-parser-3.3.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • socket.io-client-2.3.0.tgz
          • ❌ socket.io-parser-3.3.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Publish Date: 2022-10-25

URL: CVE-2022-2421

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qm95-pgcg-qqfq

Release Date: 2022-10-25

Fix Resolution: socket.io-parser - 3.3.3,3.4.2,4.0.5,4.2.1;org.webjars.npm:socket.io-parser:4.0.5,4.2.1

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.5.tgz, minimist-0.0.10.tgz

minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • ecstatic-2.2.2.tgz
        • ❌ minimist-1.2.5.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • optimist-0.6.1.tgz
        • ❌ minimist-0.0.10.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • browserify-16.5.1.tgz
        • ❌ shell-quote-1.7.2.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

CVE-2021-31597

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • socket.io-client-2.3.0.tgz
          • engine.io-client-3.4.1.tgz
            • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-22

URL: CVE-2021-31597

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-22

Fix Resolution: xmlhttprequest-ssl - 1.6.1

WS-2020-0443

Vulnerable Library - socket.io-2.3.0.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • ❌ socket.io-2.3.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".

Publish Date: 2020-02-20

URL: WS-2020-0443

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/931197

Release Date: 2020-02-20

Fix Resolution: socket.io - 2.4.0

CVE-2020-28502

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • socket.io-client-2.3.0.tgz
          • engine.io-client-3.4.1.tgz
            • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • marko-starter-lasso-2.0.3.tgz
      • lasso-less-3.0.2.tgz
        • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

WS-2020-0091

Vulnerable Library - http-proxy-1.18.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • ❌ http-proxy-1.18.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-14

Fix Resolution: http-proxy - 1.18.1

CVE-2024-4068

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • ignoring-watcher-1.1.0.tgz
        • chokidar-1.7.0.tgz
          • anymatch-1.3.2.tgz
            • micromatch-2.3.11.tgz
              • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2024-37890

Vulnerable Libraries - ws-7.2.5.tgz, ws-6.1.4.tgz

ws-7.2.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • engine.io-3.4.1.tgz
          • ❌ ws-7.2.5.tgz (Vulnerable Library)

ws-6.1.4.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.1.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • socket.io-client-2.3.0.tgz
          • engine.io-client-3.4.1.tgz
            • ❌ ws-6.1.4.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-4.21.5.tgz
    • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-24999

Vulnerable Library - qs-2.3.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-2.3.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • union-0.4.6.tgz
        • ❌ qs-2.3.3.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3

CVE-2020-36049

Vulnerable Libraries - socket.io-parser-3.4.0.tgz, socket.io-parser-3.3.0.tgz

socket.io-parser-3.4.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • ❌ socket.io-parser-3.4.0.tgz (Vulnerable Library)

socket.io-parser-3.3.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • socket.io-client-2.3.0.tgz
          • ❌ socket.io-parser-3.3.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Publish Date: 2021-01-07

URL: CVE-2020-36049

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xfhh-g9f5-x4m4

Release Date: 2021-01-07

Fix Resolution: socket.io-parser - 3.3.2,3.4.1

CVE-2020-36048

Vulnerable Library - engine.io-3.4.1.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • ❌ engine.io-3.4.1.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-07

URL: CVE-2020-36048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-07

Fix Resolution: engine.io - 4.0.0

CVE-2019-10775

Vulnerable Library - ecstatic-2.2.2.tgz

A simple static file server middleware that works with both Express and Flatiron

Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • ❌ ecstatic-2.2.2.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.

Publish Date: 2020-01-02

URL: CVE-2019-10775

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-02

Fix Resolution: 4.1.3

CVE-2017-1000048

Vulnerable Library - qs-2.3.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-2.3.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • union-0.4.6.tgz
        • ❌ qs-2.3.3.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-13

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution: qs - 6.0.4,6.1.2,6.2.3,6.3.2

CVE-2024-38355

Vulnerable Library - socket.io-2.3.0.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • ❌ socket.io-2.3.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in [email protected] (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

Publish Date: 2024-06-19

URL: CVE-2024-38355

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25hc-qcg6-38wj

Release Date: 2024-06-19

Fix Resolution: socket.io - 2.5.1,4.6.2

CVE-2023-32695

Vulnerable Library - socket.io-parser-3.4.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • ❌ socket.io-parser-3.4.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.

Publish Date: 2023-05-27

URL: CVE-2023-32695

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqmj-92xf-r6r9

Release Date: 2023-05-27

Fix Resolution: socket.io-parser - 3.4.3,4.2.3

CVE-2023-26159

Vulnerable Library - follow-redirects-1.11.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • http-proxy-1.18.0.tgz
        • ❌ follow-redirects-1.11.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution: follow-redirects - 1.15.4

CVE-2021-23518

Vulnerable Library - cached-path-relative-1.0.2.tgz

Memoize the results of the path.relative function

Library home page: https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • browserify-16.5.1.tgz
        • ❌ cached-path-relative-1.0.2.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573

Publish Date: 2022-01-21

URL: CVE-2021-23518

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23518

Release Date: 2022-01-21

Fix Resolution: cached-path-relative - 1.1.0

CVE-2022-41940

Vulnerable Library - engine.io-3.4.1.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • browser-refresh-1.7.3.tgz
      • socket.io-2.3.0.tgz
        • ❌ engine.io-3.4.1.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

Publish Date: 2022-11-22

URL: CVE-2022-41940

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r7qp-cfhv-p84w

Release Date: 2022-11-22

Fix Resolution: engine.io - 3.6.1,6.2.1

CVE-2024-28849

Vulnerable Library - follow-redirects-1.11.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • http-proxy-1.18.0.tgz
        • ❌ follow-redirects-1.11.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-14

URL: CVE-2024-28849

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cxjh-pqwp-8mfp

Release Date: 2024-03-14

Fix Resolution: follow-redirects - 1.15.6

CVE-2022-0155

Vulnerable Library - follow-redirects-1.11.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • http-server-0.10.0.tgz
      • http-proxy-1.18.0.tgz
        • ❌ follow-redirects-1.11.0.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

CVE-2020-8244

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• marko-cli-6.0.0-beta.4.tgz (Root Library)
  • marko-starter-2.1.0.tgz
    • lasso-3.3.1.tgz
      • raptor-cache-2.0.4.tgz
        • dissolve-0.3.3.tgz
          • ❌ bl-1.2.2.tgz (Vulnerable Library)

Found in base branch: next

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution: bl - 1.2.3,2.2.1,3.0.1,4.0.3