web3-1.10.4.tgz: 15 vulnerabilities (highest severity is: 10.0) #128
Description
Vulnerable Library - web3-1.10.4.tgz
Path to dependency file: /blockchain_integration/pi_network/PiRide/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (web3 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-6545 |  Critical |
10.0 | pbkdf2-3.1.2.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2026-23950 |  High |
8.8 | tar-4.4.19.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2025-9288 | High |
8.7 | sha.js-2.4.11.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2025-7783 | High |
8.7 | form-data-2.3.3.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2026-24842 | High |
8.2 | tar-4.4.19.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2025-57330 | High |
7.5 | web3-core-subscriptions-1.10.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-15284 | High |
7.5 | detected in multiple dependencies | Transitive | 4.0.1 | ❌ |
| CVE-2024-37890 | High |
7.5 | ws-3.3.3.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2024-21505 | High |
7.5 | web3-utils-1.10.4.tgz | Transitive | N/A* | ❌ |
| CVE-2026-23745 | High |
7.1 | tar-4.4.19.tgz | Transitive | N/A* | ❌ |
| CVE-2025-6547 |  Medium |
6.8 | pbkdf2-3.1.2.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2024-28863 | Medium |
6.5 | tar-4.4.19.tgz | Transitive | N/A* | ❌ |
| CVE-2023-26136 | Medium |
6.5 | tough-cookie-2.5.0.tgz | Transitive | 4.0.1 | ❌ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-57352 | Medium |
5.3 | min-document-2.19.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2025-6545
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiRide/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/pbkdf2/package.json,/projects/oracle-nexus/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/smartship/node_modules/pbkdf2/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- common-2.6.5.tgz
- ethereumjs-util-7.1.5.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)
- ethereum-cryptography-0.1.3.tgz
- ethereumjs-util-7.1.5.tgz
- common-2.6.5.tgz
- web3-eth-accounts-1.10.4.tgz
- web3-eth-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-23
URL: CVE-2025-6545
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h7cp-r72f-jxh6
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-23950
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /blockchain_integration/pi_network/smartship/package.json
Path to vulnerable library: /blockchain_integration/pi_network/smartship/node_modules/swarm-js/node_modules/tar/package.json,/blockchain_integration/pi_network/PiRide/node_modules/tar/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/tar/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/tar/package.json,/projects/oracle-nexus/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/tar/package.json,/blockchain_integration/pi_network/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/tar/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution (tar): 7.5.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-9288
Vulnerable Library - sha.js-2.4.11.tgz
Streamable SHA hashes in pure javascript
Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz
Path to dependency file: /blockchain_integration/pi_network/contracts/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- common-2.6.5.tgz
- ethereumjs-util-7.1.5.tgz
- create-hash-1.2.0.tgz
- ❌ sha.js-2.4.11.tgz (Vulnerable Library)
- create-hash-1.2.0.tgz
- ethereumjs-util-7.1.5.tgz
- common-2.6.5.tgz
- web3-eth-accounts-1.10.4.tgz
- web3-eth-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.
Publish Date: 2025-08-20
URL: CVE-2025-9288
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-20
Fix Resolution (sha.js): 2.4.12
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /blockchain_integration/pi_network/PiRide/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiRide/node_modules/request/node_modules/form-data/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/form-data/package.json,/blockchain_integration/pi_network/contracts/node_modules/request/node_modules/form-data/package.json,/blockchain_integration/pi_network/smartship/node_modules/form-data/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/form-data/package.json,/projects/oracle-nexus/node_modules/form-data/package.json,/blockchain_integration/pi_network/node_modules/request/node_modules/form-data/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/request/node_modules/form-data/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/request/node_modules/form-data/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/form-data/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/request/node_modules/form-data/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
- request-2.88.2.tgz
- servify-0.1.12.tgz
- eth-lib-0.1.29.tgz
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution (form-data): 2.5.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-24842
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /blockchain_integration/pi_network/smartship/package.json
Path to vulnerable library: /blockchain_integration/pi_network/smartship/node_modules/swarm-js/node_modules/tar/package.json,/blockchain_integration/pi_network/PiRide/node_modules/tar/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/tar/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/tar/package.json,/projects/oracle-nexus/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/tar/package.json,/blockchain_integration/pi_network/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/tar/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution (tar): 7.5.7
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-57330
Vulnerable Library - web3-core-subscriptions-1.10.4.tgz
Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.4.tgz
Path to dependency file: /sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/package.json
Path to vulnerable library: /sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/PiRide/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/smartship/node_modules/web3-core-subscriptions/package.json,/projects/oracle-nexus/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-core-subscriptions/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-shh-1.10.4.tgz
- ❌ web3-core-subscriptions-1.10.4.tgz (Vulnerable Library)
- web3-shh-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
Publish Date: 2025-09-24
URL: CVE-2025-57330
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2025-15284
Vulnerable Libraries - qs-6.13.0.tgz, qs-6.5.3.tgz
qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /blockchain_integration/pi_network/PiRide/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiRide/node_modules/qs/package.json,/blockchain_integration/pi_network/node_modules/qs/package.json,/server/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/body-parser/node_modules/qs/package.json,/pi-nexus-api/node_modules/qs/package.json,/ai-financial-advisor/node_modules/qs/package.json,/projects/oracle-nexus/node_modules/qs/package.json,/projects/PiWalletBot/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/qs/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/qs/package.json,/blockchain_integration/pi_network/onramp-pi/node_modules/qs/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/qs/package.json,/blockchain_integration/pi_network/smartship/node_modules/qs/package.json,/projects/Nexarion/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- body-parser-1.20.3.tgz
- ❌ qs-6.13.0.tgz (Vulnerable Library)
- body-parser-1.20.3.tgz
- servify-0.1.12.tgz
- eth-lib-0.1.29.tgz
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
qs-6.5.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/SpacePi/package.json
Path to vulnerable library: /blockchain_integration/pi_network/SpacePi/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/request/node_modules/qs/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/PiRide/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/request/node_modules/qs/package.json,/projects/oracle-nexus/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/node_modules/request/node_modules/qs/package.json,/blockchain_integration/pi_network/smartship/node_modules/request/node_modules/qs/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ qs-6.5.3.tgz (Vulnerable Library)
- request-2.88.2.tgz
- servify-0.1.12.tgz
- eth-lib-0.1.29.tgz
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:
- arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
- Use bracket notation: a[]=value (not indexed a[0]=value)
ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
Attack scenario: - Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
- Application parses with qs.parse(query, { arrayLimit: 100 })
- qs ignores limit, parses all 100,000 elements into array
- Server memory exhausted → application crashes or becomes unresponsive
- Service unavailable for all users
Real-world impact: - Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation
Publish Date: 2025-12-29
URL: CVE-2025-15284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: 2025-12-29
Fix Resolution (qs): 6.14.1
Direct dependency fix Resolution (web3): 4.0.1
Fix Resolution (qs): 6.14.1
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-37890
Vulnerable Library - ws-3.3.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-network-interoperability/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-network-interoperability/node_modules/eth-lib/node_modules/ws/package.json,/projects/oracle-nexus/node_modules/eth-lib/node_modules/ws/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/ws/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/eth-lib/node_modules/ws/package.json,/blockchain_integration/pi_network/contracts/node_modules/eth-lib/node_modules/ws/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/ws/package.json,/blockchain_integration/pi_network/node_modules/eth-lib/node_modules/ws/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/eth-lib/node_modules/ws/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/eth-lib/node_modules/ws/package.json,/blockchain_integration/pi_network/smartship/node_modules/ws/package.json,/blockchain_integration/pi_network/PiRide/node_modules/eth-lib/node_modules/ws/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- ❌ ws-3.3.3.tgz (Vulnerable Library)
- eth-lib-0.1.29.tgz
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 5.2.4
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-21505
Vulnerable Library - web3-utils-1.10.4.tgz
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.4.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/web3/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-eth-accounts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-core-method/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-eth-accounts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-eth-accounts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-eth-accounts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-core-helpers/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-eth/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-eth-personal/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-eth-ens/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-core-method/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-net/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-core/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-eth-contract/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-eth-ens/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/smartship/node_modules/web3-utils/package.json,/projects/oracle-nexus/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-eth/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-eth/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-core/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-eth-accounts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-core/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-net/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-eth-ens/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-core-method/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-eth-iban/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-net/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-net/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-eth-personal/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-eth-iban/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-eth-iban/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-eth-contract/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-eth-iban/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-eth-contract/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-core-helpers/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiRide/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-core-method/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-core-helpers/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-eth/node_modules/web3-utils/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-eth/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-eth-contract/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-net/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-eth-ens/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-eth-personal/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-eth-iban/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-core-method/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-core-helpers/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-eth-personal/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-eth-contract/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-eth-personal/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-eth-ens/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-core/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-core-helpers/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-core/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3/node_modules/web3-utils/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- ❌ web3-utils-1.10.4.tgz (Vulnerable Library)
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4c-8fpm-c46v
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
Step up your Open Source Security Game with Mend here
CVE-2026-23745
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /blockchain_integration/pi_network/smartship/package.json
Path to vulnerable library: /blockchain_integration/pi_network/smartship/node_modules/swarm-js/node_modules/tar/package.json,/blockchain_integration/pi_network/PiRide/node_modules/tar/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/tar/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/tar/package.json,/projects/oracle-nexus/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/tar/package.json,/blockchain_integration/pi_network/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/tar/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
CVE-2025-6547
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiRide/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/pbkdf2/package.json,/projects/oracle-nexus/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/smartship/node_modules/pbkdf2/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-eth-1.10.4.tgz
- web3-eth-accounts-1.10.4.tgz
- common-2.6.5.tgz
- ethereumjs-util-7.1.5.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)
- ethereum-cryptography-0.1.3.tgz
- ethereumjs-util-7.1.5.tgz
- common-2.6.5.tgz
- web3-eth-accounts-1.10.4.tgz
- web3-eth-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
Publish Date: 2025-06-23
URL: CVE-2025-6547
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v62p-rq8g-8h59
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-28863
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /blockchain_integration/pi_network/smartship/package.json
Path to vulnerable library: /blockchain_integration/pi_network/smartship/node_modules/swarm-js/node_modules/tar/package.json,/blockchain_integration/pi_network/PiRide/node_modules/tar/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/tar/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/tar/package.json,/projects/oracle-nexus/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/tar/package.json,/blockchain_integration/pi_network/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/tar/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/tar/package.json,/blockchain_integration/pi_network/contracts/node_modules/tar/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-26136
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/contracts/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/contracts/node_modules/request/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/PiRide/node_modules/request/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/contracts/node_modules/request/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/request/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/smartship/node_modules/tough-cookie/package.json,/projects/oracle-nexus/node_modules/tough-cookie/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/node_modules/request/node_modules/tough-cookie/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/request/node_modules/tough-cookie/package.json
Dependency Hierarchy:
- web3-1.10.4.tgz (Root Library)
- web3-bzz-1.10.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)
- request-2.88.2.tgz
- servify-0.1.12.tgz
- eth-lib-0.1.29.tgz
- swarm-js-0.1.42.tgz
- web3-bzz-1.10.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (web3): 4.0.1
Step up your Open Source Security Game with Mend here