mcp-siber-security-audit
Version:
MCP server for security code audit with auto-fix capabilities
999 lines • 39.3 kB
JSON
{
"actions": [
{
"isMajor": false,
"action": "install",
"resolves": [
{
"id": 1234574,
"path": "mongoose",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234575,
"path": "mysql2",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234576,
"path": "sequelize",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234577,
"path": "helmet",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234578,
"path": "cors",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234579,
"path": "multer",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234580,
"path": "axios",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234569,
"path": "body-parser",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234570,
"path": "cookie-parser",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234571,
"path": "jsonwebtoken",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234572,
"path": "passport",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234573,
"path": "passport-jwt",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234567,
"path": "express",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1234568,
"path": "express",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1085674,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1094499,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1094500,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1096305,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1096996,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1097130,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1097140,
"path": "lodash",
"dev": false,
"optional": false,
"bundled": false
}
],
"module": "lodash",
"target": "4.17.21"
}
],
"advisories": {
"1234567": {
"findings": [
{
"version": "4.17.1",
"paths": [
"express"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-24999\n- https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"created": "2022-02-15T00:00:00.000Z",
"id": 1234567,
"npm_advisory_id": null,
"overview": "Express versions prior to 4.17.3 are vulnerable to cache poisoning due to improper handling of the `res.set()` method when called with non-standard characters in header names. An attacker could potentially exploit this to manipulate response headers.",
"reported_by": null,
"title": "Cache Poisoning Vulnerability in Express",
"metadata": null,
"cves": [
"CVE-2022-24999"
],
"access": "public",
"severity": "high",
"module_name": "express",
"vulnerable_versions": "<4.17.3",
"github_advisory_id": "GHSA-hrpp-h998-j3pp",
"recommendation": "Upgrade to version 4.17.3 or later",
"patched_versions": ">=4.17.3",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-444"
],
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp"
},
"1234568": {
"findings": [
{
"version": "4.17.1",
"paths": [
"express"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25871\n- https://github.com/advisories/GHSA-wp2j-vmh9-23qx",
"created": "2022-05-06T00:00:00.000Z",
"id": 1234568,
"npm_advisory_id": null,
"overview": "Express versions prior to 4.17.2 are vulnerable to Request Smuggling due to improper handling of multi-line transfer-encoding headers. An attacker could potentially exploit this to perform request smuggling attacks.",
"reported_by": null,
"title": "HTTP Request Smuggling in Express",
"metadata": null,
"cves": [
"CVE-2022-25871"
],
"access": "public",
"severity": "critical",
"module_name": "express",
"vulnerable_versions": "<4.17.2",
"github_advisory_id": "GHSA-wp2j-vmh9-23qx",
"recommendation": "Upgrade to version 4.17.2 or later",
"patched_versions": ">=4.17.2",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"cwe": [
"CWE-444"
],
"url": "https://github.com/advisories/GHSA-wp2j-vmh9-23qx"
},
"1234569": {
"findings": [
{
"version": "1.19.0",
"paths": [
"body-parser"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/advisories/GHSA-qrjh-x847-mmhc",
"created": "2022-02-02T00:00:00.000Z",
"id": 1234569,
"npm_advisory_id": null,
"overview": "body-parser versions prior to 1.19.2 are vulnerable to denial of service attacks via the content-type header. An attacker can send specially crafted payloads that cause the parser to consume excessive CPU.",
"reported_by": null,
"title": "Denial of Service in body-parser",
"metadata": null,
"cves": [
"CVE-2022-24434"
],
"access": "public",
"severity": "high",
"module_name": "body-parser",
"vulnerable_versions": "<1.19.2",
"github_advisory_id": "GHSA-qrjh-x847-mmhc",
"recommendation": "Upgrade to version 1.19.2 or later",
"patched_versions": ">=1.19.2",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"cwe": [
"CWE-400"
],
"url": "https://github.com/advisories/GHSA-qrjh-x847-mmhc"
},
"1234570": {
"findings": [
{
"version": "1.4.0",
"paths": [
"cookie-parser"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-1234\n- https://github.com/advisories/GHSA-cookie-example",
"created": "2023-06-15T00:00:00.000Z",
"id": 1234570,
"npm_advisory_id": null,
"overview": "cookie-parser versions prior to 1.4.6 are vulnerable to prototype pollution via the signed cookie parser. An attacker can potentially execute arbitrary code by manipulating cookie values.",
"reported_by": null,
"title": "Prototype Pollution in cookie-parser",
"metadata": null,
"cves": [
"CVE-2023-1234"
],
"access": "public",
"severity": "high",
"module_name": "cookie-parser",
"vulnerable_versions": "<1.4.6",
"github_advisory_id": "GHSA-cookie-example",
"recommendation": "Upgrade to version 1.4.6 or later",
"patched_versions": ">=1.4.6",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"cwe": [
"CWE-1321"
],
"url": "https://github.com/advisories/GHSA-cookie-example"
},
"1234571": {
"findings": [
{
"version": "8.5.1",
"paths": [
"jsonwebtoken"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-23529\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33",
"created": "2022-12-21T00:00:00.000Z",
"id": 1234571,
"npm_advisory_id": null,
"overview": "jsonwebtoken versions prior to 9.0.0 are vulnerable to signature validation bypass when an `undefined` algorithm is provided. This can allow an attacker to forge tokens that pass validation.",
"reported_by": null,
"title": "JWT Signature Validation Bypass in jsonwebtoken",
"metadata": null,
"cves": [
"CVE-2022-23529"
],
"access": "public",
"severity": "critical",
"module_name": "jsonwebtoken",
"vulnerable_versions": "<9.0.0",
"github_advisory_id": "GHSA-8cf7-32gw-wr33",
"recommendation": "Upgrade to version 9.0.0 or later",
"patched_versions": ">=9.0.0",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"cwe": [
"CWE-347"
],
"url": "https://github.com/advisories/GHSA-8cf7-32gw-wr33"
},
"1234572": {
"findings": [
{
"version": "0.5.3",
"paths": [
"passport"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/advisories/GHSA-passport-example",
"created": "2022-08-10T00:00:00.000Z",
"id": 1234572,
"npm_advisory_id": null,
"overview": "passport versions prior to 0.6.0 are vulnerable to session fixation attacks. An attacker can potentially hijack user sessions by exploiting how the session is handled during authentication.",
"reported_by": null,
"title": "Session Fixation Vulnerability in passport",
"metadata": null,
"cves": [
"CVE-2022-25901"
],
"access": "public",
"severity": "high",
"module_name": "passport",
"vulnerable_versions": "<0.6.0",
"github_advisory_id": "GHSA-passport-example",
"recommendation": "Upgrade to version 0.6.0 or later",
"patched_versions": ">=0.6.0",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 8.0,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"cwe": [
"CWE-384"
],
"url": "https://github.com/advisories/GHSA-passport-example"
},
"1234573": {
"findings": [
{
"version": "4.0.0",
"paths": [
"passport-jwt"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25902\n- https://github.com/advisories/GHSA-passport-jwt-example",
"created": "2022-09-15T00:00:00.000Z",
"id": 1234573,
"npm_advisory_id": null,
"overview": "passport-jwt versions prior to 4.0.1 are vulnerable to authentication bypass when using certain JWT algorithms. An attacker can potentially forge tokens that pass validation due to improper algorithm verification.",
"reported_by": null,
"title": "Authentication Bypass in passport-jwt",
"metadata": null,
"cves": [
"CVE-2022-25902"
],
"access": "public",
"severity": "critical",
"module_name": "passport-jwt",
"vulnerable_versions": "<4.0.1",
"github_advisory_id": "GHSA-passport-jwt-example",
"recommendation": "Upgrade to version 4.0.1 or later",
"patched_versions": ">=4.0.1",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"cwe": [
"CWE-287"
],
"url": "https://github.com/advisories/GHSA-passport-jwt-example"
},
"1234574": {
"findings": [
{
"version": "6.0.0",
"paths": [
"mongoose"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-mongoose\n- https://github.com/advisories/GHSA-mongoose-example",
"created": "2022-06-15T00:00:00.000Z",
"id": 1234574,
"npm_advisory_id": null,
"overview": "mongoose versions prior to 6.4.6 are vulnerable to NoSQL injection via query selector injection when using nested properties in query strings.",
"reported_by": null,
"title": "NoSQL Injection in mongoose",
"metadata": null,
"cves": [
"CVE-2022-mongoose"
],
"access": "public",
"severity": "critical",
"module_name": "mongoose",
"vulnerable_versions": "<6.4.6",
"github_advisory_id": "GHSA-mongoose-example",
"recommendation": "Upgrade to version 6.4.6 or later",
"patched_versions": ">=6.4.6",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"cwe": [
"CWE-943"
],
"url": "https://github.com/advisories/GHSA-mongoose-example"
},
"1234575": {
"findings": [
{
"version": "2.3.0",
"paths": [
"mysql2"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-mysql2\n- https://github.com/advisories/GHSA-mysql2-example",
"created": "2023-01-15T00:00:00.000Z",
"id": 1234575,
"npm_advisory_id": null,
"overview": "mysql2 versions prior to 2.3.3 are vulnerable to SQL injection via improper escaping of user input in certain query building scenarios.",
"reported_by": null,
"title": "SQL Injection in mysql2",
"metadata": null,
"cves": [
"CVE-2023-mysql2"
],
"access": "public",
"severity": "critical",
"module_name": "mysql2",
"vulnerable_versions": "<2.3.3",
"github_advisory_id": "GHSA-mysql2-example",
"recommendation": "Upgrade to version 2.3.3 or later",
"patched_versions": ">=2.3.3",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"cwe": [
"CWE-89"
],
"url": "https://github.com/advisories/GHSA-mysql2-example"
},
"1234576": {
"findings": [
{
"version": "6.15.0",
"paths": [
"sequelize"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-sequelize\n- https://github.com/advisories/GHSA-sequelize-example",
"created": "2023-03-20T00:00:00.000Z",
"id": 1234576,
"npm_advisory_id": null,
"overview": "sequelize versions prior to 6.19.0 are vulnerable to SQL injection when using raw queries with user input without proper parameter binding.",
"reported_by": null,
"title": "SQL Injection via Raw Queries in Sequelize",
"metadata": null,
"cves": [
"CVE-2023-sequelize"
],
"access": "public",
"severity": "high",
"module_name": "sequelize",
"vulnerable_versions": "<6.19.0",
"github_advisory_id": "GHSA-sequelize-example",
"recommendation": "Upgrade to version 6.19.0 or later and use parameterized queries",
"patched_versions": ">=6.19.0",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"cwe": [
"CWE-89"
],
"url": "https://github.com/advisories/GHSA-sequelize-example"
},
"1234577": {
"findings": [
{
"version": "4.6.0",
"paths": [
"helmet"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-helmet\n- https://github.com/advisories/GHSA-helmet-example",
"created": "2023-05-10T00:00:00.000Z",
"id": 1234577,
"npm_advisory_id": null,
"overview": "helmet versions prior to 4.6.2 have a vulnerability where CSP headers can be bypassed in certain configurations.",
"reported_by": null,
"title": "CSP Bypass in Helmet",
"metadata": null,
"cves": [
"CVE-2023-helmet"
],
"access": "public",
"severity": "high",
"module_name": "helmet",
"vulnerable_versions": "<4.6.2",
"github_advisory_id": "GHSA-helmet-example",
"recommendation": "Upgrade to version 4.6.2 or later",
"patched_versions": ">=4.6.2",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-346"
],
"url": "https://github.com/advisories/GHSA-helmet-example"
},
"1234578": {
"findings": [
{
"version": "2.8.0",
"paths": [
"cors"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-cors\n- https://github.com/advisories/GHSA-cors-example",
"created": "2023-07-01T00:00:00.000Z",
"id": 1234578,
"npm_advisory_id": null,
"overview": "cors versions prior to 2.8.5 are vulnerable to origin validation bypass when using regular expressions in origin whitelist.",
"reported_by": null,
"title": "CORS Origin Validation Bypass",
"metadata": null,
"cves": [
"CVE-2023-cors"
],
"access": "public",
"severity": "high",
"module_name": "cors",
"vulnerable_versions": "<2.8.5",
"github_advisory_id": "GHSA-cors-example",
"recommendation": "Upgrade to version 2.8.5 or later",
"patched_versions": ">=2.8.5",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 8.0,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
},
"cwe": [
"CWE-346"
],
"url": "https://github.com/advisories/GHSA-cors-example"
},
"1234579": {
"findings": [
{
"version": "1.4.3",
"paths": [
"multer"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-multer\n- https://github.com/advisories/GHSA-multer-example",
"created": "2023-08-15T00:00:00.000Z",
"id": 1234579,
"npm_advisory_id": null,
"overview": "multer versions prior to 1.4.4 are vulnerable to directory traversal attacks when handling file uploads with specific filenames.",
"reported_by": null,
"title": "Directory Traversal in Multer",
"metadata": null,
"cves": [
"CVE-2023-multer"
],
"access": "public",
"severity": "critical",
"module_name": "multer",
"vulnerable_versions": "<1.4.4",
"github_advisory_id": "GHSA-multer-example",
"recommendation": "Upgrade to version 1.4.4 or later",
"patched_versions": ">=1.4.4",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"cwe": [
"CWE-22"
],
"url": "https://github.com/advisories/GHSA-multer-example"
},
"1234580": {
"findings": [
{
"version": "0.27.0",
"paths": [
"axios"
]
}
],
"found_by": "Security Researcher",
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-axios\n- https://github.com/advisories/GHSA-axios-example",
"created": "2023-09-20T00:00:00.000Z",
"id": 1234580,
"npm_advisory_id": null,
"overview": "axios versions prior to 0.27.2 are vulnerable to Server-Side Request Forgery (SSRF) due to improper URL validation.",
"reported_by": null,
"title": "SSRF Vulnerability in Axios",
"metadata": null,
"cves": [
"CVE-2023-axios"
],
"access": "public",
"severity": "critical",
"module_name": "axios",
"vulnerable_versions": "<0.27.2",
"github_advisory_id": "GHSA-axios-example",
"recommendation": "Upgrade to version 0.27.2 or later",
"patched_versions": ">=0.27.2",
"updated": "2025-11-01T23:21:12.000Z",
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"cwe": [
"CWE-918"
],
"url": "https://github.com/advisories/GHSA-axios-example"
},
"1085674": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm",
"created": "2019-07-19T16:13:07.000Z",
"id": 1085674,
"npm_advisory_id": null,
"overview": "lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.",
"reported_by": null,
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"metadata": null,
"cves": [
"CVE-2019-1010266"
],
"access": "public",
"severity": "moderate",
"module_name": "lodash",
"vulnerable_versions": "<4.17.11",
"github_advisory_id": "GHSA-x5rq-j2xg-h7qm",
"recommendation": "Upgrade to version 4.17.11 or later",
"patched_versions": ">=4.17.11",
"updated": "2023-01-09T05:01:38.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-400"
],
"url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"
},
"1094499": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad",
"created": "2019-02-07T18:16:48.000Z",
"id": 1094499,
"npm_advisory_id": null,
"overview": "Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.",
"reported_by": null,
"title": "Prototype Pollution in lodash",
"metadata": null,
"cves": [
"CVE-2018-16487"
],
"access": "public",
"severity": "high",
"module_name": "lodash",
"vulnerable_versions": "<4.17.11",
"github_advisory_id": "GHSA-4xc9-xhrj-v574",
"recommendation": "Upgrade to version 4.17.11 or later",
"patched_versions": ">=4.17.11",
"updated": "2023-11-01T23:00:56.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-400"
],
"url": "https://github.com/advisories/GHSA-4xc9-xhrj-v574"
},
"1094500": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"created": "2022-01-06T20:30:46.000Z",
"id": 1094500,
"npm_advisory_id": null,
"overview": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```",
"reported_by": null,
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"metadata": null,
"cves": [
"CVE-2020-28500"
],
"access": "public",
"severity": "moderate",
"module_name": "lodash",
"vulnerable_versions": "<4.17.21",
"github_advisory_id": "GHSA-29mw-wpgm-hmr9",
"recommendation": "Upgrade to version 4.17.21 or later",
"patched_versions": ">=4.17.21",
"updated": "2023-11-01T23:21:12.000Z",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"cwe": [
"CWE-400",
"CWE-1333"
],
"url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9"
},
"1096305": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://github.com/lodash/lodash/issues/4874\n- https://github.com/github/advisory-database/pull/2884\n- https://hackerone.com/reports/864701\n- https://github.com/lodash/lodash/wiki/Changelog#v41719\n- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/advisories/GHSA-p6mc-m468-83gw",
"created": "2020-07-15T19:15:48.000Z",
"id": 1096305,
"npm_advisory_id": null,
"overview": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.",
"reported_by": null,
"title": "Prototype Pollution in lodash",
"metadata": null,
"cves": [
"CVE-2020-8203"
],
"access": "public",
"severity": "high",
"module_name": "lodash",
"vulnerable_versions": ">=3.7.0 <4.17.19",
"github_advisory_id": "GHSA-p6mc-m468-83gw",
"recommendation": "Upgrade to version 4.17.19 or later",
"patched_versions": ">=4.17.19",
"updated": "2024-01-26T15:32:50.000Z",
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"cwe": [
"CWE-770",
"CWE-1321"
],
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
},
"1096996": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://security.netapp.com/advisory/ntap-20210312-0006\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"created": "2021-05-06T16:05:51.000Z",
"id": 1096996,
"npm_advisory_id": null,
"overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
"reported_by": null,
"title": "Command Injection in lodash",
"metadata": null,
"cves": [
"CVE-2021-23337"
],
"access": "public",
"severity": "high",
"module_name": "lodash",
"vulnerable_versions": "<4.17.21",
"github_advisory_id": "GHSA-35jh-r3h4-6jhm",
"recommendation": "Upgrade to version 4.17.21 or later",
"patched_versions": ">=4.17.21",
"updated": "2024-04-17T18:39:19.000Z",
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
"cwe": [
"CWE-77",
"CWE-94"
],
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
},
"1097130": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004",
"created": "2018-07-26T15:14:52.000Z",
"id": 1097130,
"npm_advisory_id": null,
"overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.",
"reported_by": null,
"title": "Prototype Pollution in lodash",
"metadata": null,
"cves": [
"CVE-2018-3721"
],
"access": "public",
"severity": "moderate",
"module_name": "lodash",
"vulnerable_versions": "<4.17.5",
"github_advisory_id": "GHSA-fvqr-27wr-82fm",
"recommendation": "Upgrade to version 4.17.5 or later",
"patched_versions": ">=4.17.5",
"updated": "2024-04-22T19:49:54.000Z",
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
},
"cwe": [
"CWE-471",
"CWE-1321"
],
"url": "https://github.com/advisories/GHSA-fvqr-27wr-82fm"
},
"1097140": {
"findings": [
{
"version": "4.17.1",
"paths": [
"lodash"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS\n- https://github.com/advisories/GHSA-jf85-cpcp-j695",
"created": "2019-07-10T19:45:23.000Z",
"id": 1097140,
"npm_advisory_id": null,
"overview": "Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.",
"reported_by": null,
"title": "Prototype Pollution in lodash",
"metadata": null,
"cves": [
"CVE-2019-10744"
],
"access": "public",
"severity": "critical",
"module_name": "lodash",
"vulnerable_versions": "<4.17.12",
"github_advisory_id": "GHSA-jf85-cpcp-j695",
"recommendation": "Upgrade to version 4.17.12 or later",
"patched_versions": ">=4.17.12",
"updated": "2024-04-22T19:49:44.000Z",
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"cwe": [
"CWE-20",
"CWE-1321"
],
"url": "https://github.com/advisories/GHSA-jf85-cpcp-j695"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 3,
"high": 3,
"critical": 1
},
"dependencies": 1,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 1
}
}