-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathyarn-audit-known-issues
1 lines (1 loc) · 3.21 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1099520":{"findings":[{"version":"1.14.2","paths":["body-parser","express>body-parser"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","id":1099520,"npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","metadata":null,"cves":["CVE-2024-45590"],"access":"public","severity":"high","module_name":"body-parser","vulnerable_versions":"<1.20.3","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","recommendation":"Upgrade to version 1.20.3 or later","patched_versions":">=1.20.3","updated":"2024-09-10T19:01:11.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-405"],"url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1101844":{"findings":[{"version":"0.1.10","paths":["path-to-regexp","express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\n- https://blakeembrey.com/posts/2024-09-web-redos\n- https://nvd.nist.gov/vuln/detail/CVE-2024-52798\n- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\n- https://security.netapp.com/advisory/ntap-20250124-0002\n- https://github.com/advisories/GHSA-rhx6-c78j-4q9w","created":"2024-12-05T22:40:47.000Z","id":1101844,"npm_advisory_id":null,"overview":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","reported_by":null,"title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","metadata":null,"cves":["CVE-2024-52798"],"access":"public","severity":"high","module_name":"path-to-regexp","vulnerable_versions":"<0.1.12","github_advisory_id":"GHSA-rhx6-c78j-4q9w","recommendation":"Upgrade to version 0.1.12 or later","patched_versions":">=0.1.12","updated":"2025-01-24T21:41:09.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":4,"critical":0},"dependencies":384,"devDependencies":0,"optionalDependencies":0,"totalDependencies":384}}