core-8.4.3.tgz: 2 vulnerabilities (highest severity is: 7.5) #95
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nest - modern, fast, powerful node.js web framework (@core)
Library home page: https://registry.npmjs.org/@nestjs/core/-/core-8.4.3.tgz
Found in HEAD commit: a9ca696e4063e48a10f252dd7479d512df1895ad
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - path-to-regexp-3.2.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-3.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: a9ca696e4063e48a10f252dd7479d512df1895ad
Found in base branch: develop
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 8.0.0
Direct dependency fix Resolution (@nestjs/core): 10.4.13
Vulnerable Library - core-8.4.3.tgz
Nest - modern, fast, powerful node.js web framework (@core)
Library home page: https://registry.npmjs.org/@nestjs/core/-/core-8.4.3.tgz
Dependency Hierarchy:
Found in HEAD commit: a9ca696e4063e48a10f252dd7479d512df1895ad
Found in base branch: develop
Vulnerability Details
Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.
Publish Date: 2023-03-06
URL: CVE-2023-26108
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26108
Release Date: 2023-03-06
Fix Resolution: 9.0.5
The text was updated successfully, but these errors were encountered: