WS-2018-0590 (High) detected in diff-1.4.0.tgz

[mend-for-github-com]

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 7ca9ef14f18b637a3bd8a4b8e23f3505f5b3c35d

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

---

⛑️ Automatic Remediation is available for this issue