react-scripts-ts-3.1.0.tgz: 63 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - react-scripts-ts-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack-dev-server/node_modules/glob-parent/package.json,/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-scripts-ts version)	Remediation Possible**
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	4.0.0	❌
CVE-2022-37601	Critical	9.8	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-42740	Critical	9.8	shell-quote-1.6.1.tgz	Transitive	N/A*	❌
CVE-2023-45133	Critical	9.3	babel-traverse-6.26.0.tgz	Transitive	N/A*	❌
CVE-2024-48949	Critical	9.1	elliptic-6.5.4.tgz	Transitive	4.0.0	❌
CVE-2024-29415	Critical	9.1	ip-1.1.5.tgz	Transitive	N/A*	❌
WS-2019-0063	High	8.1	js-yaml-3.7.0.tgz	Transitive	4.0.1	❌
CVE-2022-1650	High	8.1	eventsource-0.1.6.tgz	Transitive	N/A*	❌
CVE-2020-7660	High	8.1	serialize-javascript-1.9.1.tgz	Transitive	N/A*	❌
WS-2021-0152	High	7.5	color-string-0.3.0.tgz	Transitive	4.0.1	❌
WS-2019-0032	High	7.5	js-yaml-3.7.0.tgz	Transitive	4.0.1	❌
CVE-2024-52798	High	7.5	path-to-regexp-0.1.7.tgz	Transitive	N/A*	❌
CVE-2024-45590	High	7.5	body-parser-1.19.2.tgz	Transitive	N/A*	❌
CVE-2024-45296	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-4068	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	ws-5.2.3.tgz	Transitive	N/A*	❌
CVE-2024-21538	High	7.5	cross-spawn-5.1.0.tgz	Transitive	N/A*	❌
CVE-2024-21536	High	7.5	http-proxy-middleware-0.17.4.tgz	Transitive	N/A*	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	4.0.0	❌
CVE-2022-37620	High	7.5	html-minifier-3.5.21.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.4.0.tgz	Transitive	4.0.0	❌
CVE-2022-3517	High	7.5	minimatch-3.0.3.tgz	Transitive	N/A*	❌
CVE-2022-24772	High	7.5	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2022-24771	High	7.5	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	4.0.1	❌
CVE-2021-29059	High	7.5	is-svg-2.1.0.tgz	Transitive	4.0.1	❌
CVE-2021-28092	High	7.5	is-svg-2.1.0.tgz	Transitive	4.0.1	❌
CVE-2021-27290	High	7.5	ssri-5.3.0.tgz	Transitive	N/A*	❌
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	N/A*	❌
CVE-2018-14732	High	7.5	webpack-dev-server-2.11.3.tgz	Transitive	4.0.1	❌
CVE-2024-29180	High	7.4	webpack-dev-middleware-1.12.2.tgz	Transitive	N/A*	❌
CVE-2023-26159	High	7.3	follow-redirects-1.14.9.tgz	Transitive	4.0.0	❌
CVE-2020-28499	High	7.3	merge-1.2.1.tgz	Transitive	N/A*	❌
CVE-2022-46175	High	7.1	detected in multiple dependencies	Transitive	N/A*	❌
WS-2022-0008	Medium	6.6	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2024-28849	Medium	6.5	follow-redirects-1.14.9.tgz	Transitive	N/A*	❌
CVE-2023-46234	Medium	6.5	browserify-sign-4.2.1.tgz	Transitive	4.0.0	❌
CVE-2023-26136	Medium	6.5	tough-cookie-2.5.0.tgz	Transitive	N/A*	❌
CVE-2024-43788	Medium	6.4	webpack-3.8.1.tgz	Transitive	N/A*	❌
CVE-2024-29041	Medium	6.1	express-4.17.3.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2022-0122	Medium	6.1	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2021-24033	Medium	5.6	react-dev-utils-5.0.3.tgz	Transitive	N/A*	❌
CVE-2020-15366	Medium	5.6	ajv-5.5.2.tgz	Transitive	4.0.1	❌
WS-2017-3757	Medium	5.3	content-type-parser-1.0.2.tgz	Transitive	N/A*	❌
CVE-2024-47764	Medium	5.3	cookie-0.4.2.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-44270	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-6.7.1.tgz	Transitive	4.0.1	❌
CVE-2022-25883	Medium	5.3	semver-5.7.1.tgz	Transitive	N/A*	❌
CVE-2022-24773	Medium	5.3	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2021-29060	Medium	5.3	color-string-0.3.0.tgz	Transitive	4.0.1	❌
CVE-2021-23382	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2020-7693	Medium	5.3	sockjs-0.3.19.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	detected in multiple dependencies	Transitive	4.0.1	❌
CVE-2020-28469	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
WS-2019-0307	Medium	5.1	mem-1.1.0.tgz	Transitive	N/A*	❌
CVE-2024-43800	Medium	5.0	serve-static-1.14.2.tgz	Transitive	N/A*	❌
CVE-2024-43799	Medium	5.0	send-0.17.2.tgz	Transitive	N/A*	❌
CVE-2024-43796	Medium	5.0	express-4.17.3.tgz	Transitive	N/A*	❌
CVE-2024-48948	Medium	4.8	elliptic-6.5.4.tgz	Transitive	N/A*	❌
CVE-2019-16769	Medium	4.2	serialize-javascript-1.9.1.tgz	Transitive	N/A*	❌
CVE-2024-27088	Low	0.0	es5-ext-0.10.61.tgz	Transitive	4.0.0	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (react-scripts-ts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.4.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/html-webpack-plugin/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • html-webpack-plugin-2.29.0.tgz
    • ❌ loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • css-loader-0.28.7.tgz
    • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution: loader-utils - 1.4.1,2.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • react-dev-utils-5.0.3.tgz
    • ❌ shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Step up your Open Source Security Game with Mend here

CVE-2023-45133

Vulnerable Library - babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/babel-traverse/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • ts-jest-22.0.1.tgz
    • babel-core-6.26.3.tgz
      • ❌ babel-traverse-6.26.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

Step up your Open Source Security Game with Mend here

CVE-2024-48949

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-3.8.1.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.4.tgz
          • ❌ elliptic-6.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (react-scripts-ts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-29415

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Mend Note: We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

WS-2019-0063

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • css-loader-0.28.7.tgz
    • cssnano-3.10.0.tgz
      • postcss-svgo-2.1.6.tgz
        • svgo-0.7.2.tgz
          • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (react-scripts-ts): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-1650

Vulnerable Library - eventsource-0.1.6.tgz

W3C compliant EventSource client for Node.js

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eventsource/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • react-dev-utils-5.0.3.tgz
    • sockjs-client-1.1.5.tgz
      • ❌ eventsource-0.1.6.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution: eventsource - 1.1.1,2.0.2

Step up your Open Source Security Game with Mend here

CVE-2020-7660

Vulnerable Library - serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • uglifyjs-webpack-plugin-1.2.5.tgz
    • ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Step up your Open Source Security Game with Mend here

WS-2021-0152

Vulnerable Library - color-string-0.3.0.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • css-loader-0.28.7.tgz
    • cssnano-3.10.0.tgz
      • postcss-colormin-2.2.2.tgz
        • colormin-1.1.2.tgz
          • color-0.11.4.tgz
            • ❌ color-string-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (react-scripts-ts): 4.0.1

Step up your Open Source Security Game with Mend here

WS-2019-0032

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • css-loader-0.28.7.tgz
    • cssnano-3.10.0.tgz
      • postcss-svgo-2.1.6.tgz
        • svgo-0.7.2.tgz
          • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (react-scripts-ts): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-52798

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/node_modules/path-to-regexp/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • express-4.17.3.tgz
      • ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

Publish Date: 2024-12-05

URL: CVE-2024-52798

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rhx6-c78j-4q9w

Release Date: 2024-12-05

Fix Resolution: path-to-regexp - 0.1.12

Step up your Open Source Security Game with Mend here

CVE-2024-45590

Vulnerable Library - body-parser-1.19.2.tgz

Node.js body parsing middleware

Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.19.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/body-parser/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • express-4.17.3.tgz
      • ❌ body-parser-1.19.2.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Publish Date: 2024-09-10

URL: CVE-2024-45590

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwcr-r2fm-qrc7

Release Date: 2024-09-10

Fix Resolution: body-parser - 1.20.3

Step up your Open Source Security Game with Mend here

CVE-2024-45296

Vulnerable Libraries - path-to-regexp-0.1.7.tgz, path-to-regexp-1.8.0.tgz

path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/node_modules/path-to-regexp/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • express-4.17.3.tgz
      • ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)

path-to-regexp-1.8.0.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-to-regexp/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • sw-precache-webpack-plugin-0.11.4.tgz
    • sw-precache-5.2.1.tgz
      • sw-toolbox-3.6.0.tgz
        • ❌ path-to-regexp-1.8.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: 2024-09-09

URL: CVE-2024-45296

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: 2024-09-09

Fix Resolution: path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Libraries - braces-3.0.2.tgz, braces-2.3.2.tgz, braces-1.8.5.tgz

braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/watchpack/node_modules/braces/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-3.8.1.tgz
    • watchpack-1.7.5.tgz
      • chokidar-3.5.3.tgz
        • ❌ braces-3.0.2.tgz (Vulnerable Library)

braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/watchpack-chokidar2/node_modules/braces/package.json,/node_modules/webpack-dev-server/node_modules/braces/package.json,/node_modules/readdirp/node_modules/braces/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • chokidar-2.1.8.tgz
      • ❌ braces-2.3.2.tgz (Vulnerable Library)

braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-5.2.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • ts-jest-22.0.1.tgz
    • jest-config-22.4.4.tgz
      • jest-environment-jsdom-22.4.3.tgz
        • jsdom-11.12.0.tgz
          • ❌ ws-5.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

Step up your Open Source Security Game with Mend here

CVE-2024-21538

Vulnerable Library - cross-spawn-5.1.0.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cross-spawn/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • react-dev-utils-5.0.3.tgz
    • ❌ cross-spawn-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: 2024-11-08

URL: CVE-2024-21538

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538

Release Date: 2024-11-08

Fix Resolution: cross-spawn - 7.0.5

Step up your Open Source Security Game with Mend here

CVE-2024-21536

Vulnerable Library - http-proxy-middleware-0.17.4.tgz

The one-liner node.js proxy middleware for connect, express and browser-sync

Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.17.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-proxy-middleware/package.json

Dependency Hierarchy:

• react-scripts-ts-3.1.0.tgz (Root Library)
  • webpack-dev-server-2.11.3.tgz
    • ❌ http-proxy-middleware-0.17.4.tgz (Vulnerable Library)

Found in HEAD commit: 8ad649e0b19b218d7c4b6395dd20142b7f0c298c

Found in base branch: main

Vulnerability Details

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Publish Date: 2024-10-19

URL: CVE-2024-21536

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21536

Release Date: 2024-10-19

Fix Resolution: http-proxy-middleware - 2.0.7,3.0.3

Step up your Open Source Security Game with Mend here