ci(secu): check dependency actions

[sc979]

ci(secu): check dependency actions

[github-actions]

Checkmarx One – Scan Summary & Details – d88b95a3-41ef-4b22-a980-4e8e6501da2d

New Issues (44)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2022-2216	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: The package parse-url versions through 6.0.0, 6.0.2 through 6.0.3, and 6.0.5, are vulnerable to Server-Side Request Forgery (SSRF). Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2022-2900	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: The package parse-url is vulnerable to Server-Side Request Forgery (SSRF). This issue affects versions prior to 8.0.0. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		Cx07b57503-cbc2	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: Authentication Bypass by Primary Weakness vulnerability in parse-url. This issue affects versions through 6.0.0, and versions 6.0.2, 6.0.3, 6.0.5. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2020-36650	Npm-gry-5.0.8	details Recommended version: 6.0.0 Description: A vulnerability, which was classified as critical, was found in IonicaBizau node-gry versions prior to 6.0.0. This affects an unknown part. The man... Attack Vector: ADJACENT_NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2022-0722	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: Exposure of Sensitive Information to an Unauthorized Actor in parse-url version 6.0.2 and prior to 6.0.1. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2022-25883	Npm-semver-7.3.7	details Recommended version: 7.5.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2022-25883	Npm-semver-5.7.1	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2023-26115	Npm-word-wrap-1.2.3	details Recommended version: 1.2.4 Description: Versions prior to 1.24 of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regu... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2024-12905	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2024-37890	Npm-ws-7.5.8	details Recommended version: 7.5.10 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2024-37890	Npm-ws-8.5.0	details Recommended version: 8.17.1 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2024-4068	Npm-braces-3.0.2	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		CVE-2025-12816	Npm-node-forge-1.3.1	details Recommended version: 1.3.2 Description: An interpretation-conflict (CWE-436) vulnerability in node-forge versions through 1.3.1 enables unauthenticated attackers to craft ASN.1 structures... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
15		CVE-2025-15284	Npm-qs-6.5.3	details Recommended version: 6.14.1 Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2025-48387	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		CVE-2025-59343	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18		CVE-2025-66031	Npm-node-forge-1.3.1	details Recommended version: 1.3.2 Description: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in n... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		Cx52560c19-771a	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: In parse-url, malicious usage of '+' in the protocol section of an URL or '?' before an '@' sign can lead to whitelist bypasses. This issue affects... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		Cx9d154f96-a5f3	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: parse-url is vulnerable to Hostname Spoofing via Improper Input Validation. This issue affects version through 6.0.0, and versions 6.0.2, 6.0.3, 6.... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2022-2217	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: Cross-site Scripting (XSS) - Generic in parse-url version 6.0.2 and prior to 6.0.1. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23		CVE-2022-2218	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: Cross-site Scripting (XSS) - Stored in parse-url version 6.0.2 and prior to 6.0.1. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24		CVE-2022-3224	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: Misinterpretation of Input in ionicabizau/parse-url versions prior to 8.1.0. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
25		CVE-2022-33987	Npm-got-5.6.0	details Recommended version: 11.8.5 Description: The got package before 11.8.5, and 12.x before 12.1.0 for Node.js allows a redirect to a UNIX socket. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
26		CVE-2022-36313	Npm-file-type-3.9.0	details Recommended version: 16.5.4 Description: An issue was discovered in the file-type package versions prior to 16.5.4 and 17.0.x prior to 17.1.3 for "Node.js". A malformed MKV file could caus... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
27		CVE-2024-28176	Npm-jose-4.14.4	details Recommended version: 4.15.5 Description: The package jose is a JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JW... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
28		CVE-2024-4067	Npm-micromatch-4.0.5	details Recommended version: 4.0.8 Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
29		CVE-2024-47764	Npm-cookie-0.4.2	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
30		CVE-2025-54798	Npm-tmp-0.2.3	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
31		CVE-2025-54798	Npm-tmp-0.0.28	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
32		CVE-2025-64718	Npm-js-yaml-4.1.0	details Recommended version: 4.1.1 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
33		CVE-2025-66030	Npm-node-forge-1.3.1	details Recommended version: 1.3.2 Description: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-fo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
34		Cx215c2573-d9b3	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: parse-url mishandles certain uses of backslash such as "https:/\" and interprets the URI as a relative path. Browsers accept backslashes after the ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
35		Cxb745026d-bac0	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: parse-url is vulnerable to Open Redirect. This issue affects versions through 6.0.0, and versions 6.0.2, 6.0.3, 6.0.5. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
36		Cxbb85e86c-2fac	Npm-esbuild-0.19.12	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
37		Cxccc15d68-3696	Npm-parse-url-1.3.11	details Recommended version: 8.1.0 Description: parse-url is vulnerable to Open Redirect and SSRF due to improper input validation. This issue affects versions through 6.0.0, and versions 6.0.2, ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
38		CVE-2025-5889	Npm-brace-expansion-1.1.11	details Recommended version: 1.1.12 Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
39		Cx8bc4df28-fcf5	Npm-debug-4.3.4	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
40		Cx8bc4df28-fcf5	Npm-debug-3.2.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
41		Cx8bc4df28-fcf5	Npm-debug-2.6.9	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
42		Cxcc25902f-3a8e	Npm-aws-sdk-2.1692.0	details Description: A vulnerability was found in AWS SDK for JavaScript v2 versions 2.x through 3.0.0 in region input field when calling AWS services. An actor with ac... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
43		Cxcc25902f-3a8e	Npm-aws-sdk-2.1693.0	details Description: A vulnerability was found in AWS SDK for JavaScript v2 versions 2.x through 3.0.0 in region input field when calling AWS services. An actor with ac... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
44		Cxda14f253-4e52	Npm-bluebird-2.11.0	details Description: The package `bluebird` is vulnerable to memory leak, when running the function longStackTraces() with the flag `--expose_gc`. This causes a signifi... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package