Skip to content

web3-1.10.4.tgz: 22 vulnerabilities (highest severity is: 10.0) #41

Open
Open
web3-1.10.4.tgz: 22 vulnerabilities (highest severity is: 10.0)#41
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on May 19, 2025
Vulnerable Library - web3-1.10.4.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (web3 version) Remediation Possible**
CVE-2025-6545 Critical 10.0 pbkdf2-3.1.2.tgz Transitive 4.0.1
CVE-2026-23950 High 8.8 tar-4.4.19.tgz Transitive 4.0.1
CVE-2025-9288 High 8.7 sha.js-2.4.11.tgz Transitive 4.0.1
CVE-2025-7783 High 8.7 form-data-2.3.3.tgz Transitive 4.0.1
CVE-2026-24842 High 8.2 tar-4.4.19.tgz Transitive 4.0.1
CVE-2025-57330 High 7.5 web3-core-subscriptions-1.10.4.tgz Transitive N/A*
CVE-2024-37890 High 7.5 ws-3.3.3.tgz Transitive 4.0.1
CVE-2024-21505 High 7.5 web3-utils-1.10.4.tgz Transitive N/A*
CVE-2026-31802 High 7.1 tar-4.4.19.tgz Transitive N/A*
CVE-2026-29786 High 7.1 tar-4.4.19.tgz Transitive N/A*
CVE-2026-26960 High 7.1 tar-4.4.19.tgz Transitive 4.0.1
CVE-2026-23745 High 7.1 tar-4.4.19.tgz Transitive N/A*
CVE-2025-6547 Medium 6.8 pbkdf2-3.1.2.tgz Transitive 4.0.1
CVE-2024-28863 Medium 6.5 tar-4.4.19.tgz Transitive N/A*
CVE-2023-26136 Medium 6.5 tough-cookie-2.5.0.tgz Transitive 4.0.1
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*
CVE-2025-14505 Medium 5.6 elliptic-6.6.1.tgz Transitive N/A*
CVE-2026-2739 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2025-57352 Medium 5.3 min-document-2.19.0.tgz Transitive N/A*
CVE-2026-2391 Low 3.7 qs-6.5.3.tgz Transitive 4.0.1
CVE-2025-15284 Low 3.7 qs-6.5.3.tgz Transitive 4.0.1
CVE-2025-69873 Low 2.9 ajv-6.12.6.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • ethereum-cryptography-0.1.3.tgz
              • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-23950

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Publish Date: 2026-01-20

URL: CVE-2026-23950

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6q2-hw4h-h46w

Release Date: 2026-01-20

Fix Resolution (tar): 7.5.4

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/sha.js/package.json,/api-gateway/node_modules/sha.js/package.json,/ar-vr-experience/node_modules/sha.js/package.json,/on_chain_payment_solution/dapp/node_modules/sha.js/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • create-hash-1.2.0.tgz
              • sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution (sha.js): 2.4.12

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-7783

Vulnerable Library - form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/form-data/package.json,/token-incentive-system/node_modules/request/node_modules/form-data/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • form-data-2.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution (form-data): 2.5.4

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-24842

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Publish Date: 2026-01-28

URL: CVE-2026-24842

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-28

Fix Resolution (tar): 7.5.7

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2025-57330

Vulnerable Library - web3-core-subscriptions-1.10.4.tgz

Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.4.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/web3-core-subscriptions/package.json,/token-incentive-system/node_modules/web3-core-subscriptions/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-shh-1.10.4.tgz
      • web3-core-subscriptions-1.10.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Publish Date: 2025-09-24

URL: CVE-2025-57330

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/eth-lib/node_modules/ws/package.json,/ar-vr-experience/node_modules/eth-lib/node_modules/ws/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • ws-3.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Library - web3-utils-1.10.4.tgz

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.4.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/web3-utils/package.json,/token-incentive-system/node_modules/web3-utils/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-utils-1.10.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2g4c-8fpm-c46v

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2026-31802

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

Publish Date: 2026-03-09

URL: CVE-2026-31802

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-09

Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11

Step up your Open Source Security Game with Mend here

CVE-2026-29786

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

Publish Date: 2026-03-07

URL: CVE-2026-29786

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-07

Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10

Step up your Open Source Security Game with Mend here

CVE-2026-26960

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

Publish Date: 2026-02-20

URL: CVE-2026-26960

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-18

Fix Resolution (tar): 7.5.8

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-23745

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Publish Date: 2026-01-16

URL: CVE-2026-23745

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-16

Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3

Step up your Open Source Security Game with Mend here

CVE-2025-6547

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • ethereum-cryptography-0.1.3.tgz
              • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Publish Date: 2025-06-23

URL: CVE-2025-6547

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v62p-rq8g-8h59

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-28863

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/tar/package.json,/token-incentive-system/node_modules/tar/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/tough-cookie/package.json,/token-incentive-system/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/package.json,/token-incentive-system/node_modules/request/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-14505

Vulnerable Library - elliptic-6.6.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.6.1.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/elliptic/package.json,/token-incentive-system/node_modules/elliptic/package.json,/on_chain_payment_solution/dapp/node_modules/elliptic/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • elliptic-6.6.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).

Publish Date: 2026-01-08

URL: CVE-2025-14505

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2026-2739

Vulnerable Libraries - bn.js-5.2.2.tgz, bn.js-4.11.6.tgz, bn.js-4.12.2.tgz

bn.js-5.2.2.tgz

Big number implementation in pure javascript

Library home page: https://registry.npmjs.org/bn.js/-/bn.js-5.2.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/@ethersproject/bignumber/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/web3-eth-iban/node_modules/bn.js/package.json,/token-incentive-system/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/ethereumjs-util/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/web3-utils/node_modules/bn.js/package.json,/on_chain_payment_solution/dapp/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/rlp/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/@ethersproject/signing-key/node_modules/bn.js/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-eth-1.10.4.tgz
      • web3-eth-accounts-1.10.4.tgz
        • common-2.6.5.tgz
          • ethereumjs-util-7.1.5.tgz
            • bn.js-5.2.2.tgz (Vulnerable Library)

bn.js-4.11.6.tgz

Big number implementation in pure javascript

Library home page: https://registry.npmjs.org/bn.js/-/bn.js-4.11.6.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/ethjs-unit/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/number-to-bn/node_modules/bn.js/package.json,/token-incentive-system/node_modules/number-to-bn/node_modules/bn.js/package.json,/ar-vr-experience/node_modules/ethjs-unit/node_modules/bn.js/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-utils-1.10.4.tgz
      • ethjs-unit-0.1.6.tgz
        • bn.js-4.11.6.tgz (Vulnerable Library)

bn.js-4.12.2.tgz

Big number implementation in pure javascript

Library home page: https://registry.npmjs.org/bn.js/-/bn.js-4.12.2.tgz

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • bn.js-4.12.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

Publish Date: 2026-02-20

URL: CVE-2026-2739

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-20

Fix Resolution: https://github.com/indutny/bn.js.git - v5.2.3

Step up your Open Source Security Game with Mend here

CVE-2025-57352

Vulnerable Library - min-document-2.19.0.tgz

A minimal DOM implementation

Library home page: https://registry.npmjs.org/min-document/-/min-document-2.19.0.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/min-document/package.json,/ar-vr-experience/node_modules/min-document/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • xhr-request-1.1.0.tgz
          • xhr-2.6.0.tgz
            • global-4.4.0.tgz
              • min-document-2.19.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the proto property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-24

URL: CVE-2025-57352

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rx8g-88g5-qh64

Release Date: 2025-09-24

Fix Resolution: min-document - 2.19.1

Step up your Open Source Security Game with Mend here

CVE-2026-2391

Vulnerable Library - qs-6.5.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.3.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/request/node_modules/qs/package.json,/token-incentive-system/node_modules/request/node_modules/qs/package.json

Dependency Hierarchy:

  • web3-1.10.4.tgz (Root Library)
    • web3-bzz-1.10.4.tgz
      • swarm-js-0.1.42.tgz
        • eth-lib-0.1.29.tgz
          • servify-0.1.12.tgz
            • request-2.88.2.tgz
              • qs-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Summary
The "arrayLimit" option in qs does not enforce limits for comma-separated values when "comma: true" is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Details
When the "comma" option is set to "true" (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., "?param=a,b,c" becomes "['a', 'b', 'c']"). However, the limit check for "arrayLimit" (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in "parseArrayValue", enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
    return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
The "split(',')" returns the array immediately, skipping the subsequent limit check. Downstream merging via "utils.combine" does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., "?param=,,,,,,,,..."), allocating massive arrays in memory without triggering limits. It bypasses the intent of "arrayLimit", which is enforced correctly for indexed ("a[0]=") and bracket ("a[]=") notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
  const result = qs.parse(payload, options);
  console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
  console.log('Limit enforced:', e.message); // Not thrown
}
Configuration:

  • "comma: true"
  • "arrayLimit: 5"
  • "throwOnLimitExceeded: true"
    Expected: Throws "Array limit exceeded" error.
    Actual: Parses successfully, creating an array of length 26.
    Impact
    Denial of Service (DoS) via memory exhaustion.
    Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-12

URL: CVE-2026-2391

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7fw-mjwx-w883

Release Date: 2026-02-12

Fix Resolution (qs): 6.14.2

Direct dependency fix Resolution (web3): 4.0.1

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions