SPDX ID:
SPDXRef-1Lizenz:
MITVersionen:
1.1.3- Include CopyrightYou must include the copyright notice in all copies or substantial uses of the work.
- Include LicenseYou must include the license notice in all copies or substantial uses of the work.
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
LösungUpgrade to version 6.0.1 or above.
IdentifikatorenDetailsScanner:
GemnasiumVulnerable Package:
glob-parent:5.1.2A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
LösungUnfortunately, there is no solution available yet.
IdentifikatorenDetailsScanner:
GemnasiumVulnerable Package:
html-minifier:4.0.0JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.
LösungUpgrade to version 2.2.2 or above.
IdentifikatorenDetailsScanner:
GemnasiumVulnerable Package:
json5:1.0.2A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
LösungUpgrade to version 3.1.0 or above.
IdentifikatorenDetailsScanner:
GemnasiumVulnerable Package:
debug:2.6.9