Skip to content

react-scripts-4.0.3.tgz: 78 vulnerabilities (highest severity is: 10.0) #38

Open
Open
react-scripts-4.0.3.tgz: 78 vulnerabilities (highest severity is: 10.0)#38
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on May 19, 2025
Vulnerable Library - react-scripts-4.0.3.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/js-yaml/package.json

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Possible**
CVE-2025-6545 Critical 10.0 pbkdf2-3.1.2.tgz Transitive 5.0.0
WS-2021-0153 Critical 9.8 ejs-2.7.4.tgz Transitive 5.0.0
CVE-2026-33228 Critical 9.8 flatted-3.3.3.tgz Transitive N/A*
CVE-2026-1615 Critical 9.8 jsonpath-1.1.1.tgz Transitive 5.0.0
CVE-2025-61140 Critical 9.8 jsonpath-1.1.1.tgz Transitive N/A*
CVE-2022-37601 Critical 9.8 loader-utils-2.0.0.tgz Transitive 5.0.0
CVE-2022-29078 Critical 9.8 ejs-2.7.4.tgz Transitive 5.0.0
CVE-2021-42740 Critical 9.8 shell-quote-1.7.2.tgz Transitive 5.0.0
CVE-2026-27606 Critical 9.1 rollup-1.32.1.tgz Transitive N/A*
CVE-2024-29415 Critical 9.1 ip-1.1.9.tgz Transitive N/A*
CVE-2026-23950 High 8.8 tar-6.2.1.tgz Transitive 5.0.0
CVE-2025-9288 High 8.7 sha.js-2.4.11.tgz Transitive 5.0.0
CVE-2025-7783 High 8.7 form-data-3.0.3.tgz Transitive 5.0.0
CVE-2025-12816 High 8.6 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2026-24842 High 8.2 tar-6.2.1.tgz Transitive 5.0.0
CVE-2026-4867 High 7.5 path-to-regexp-0.1.12.tgz Transitive N/A*
CVE-2026-33895 High 7.5 node-forge-0.10.0.tgz Transitive N/A*
CVE-2026-33894 High 7.5 node-forge-0.10.0.tgz Transitive N/A*
CVE-2026-33891 High 7.5 node-forge-0.10.0.tgz Transitive N/A*
CVE-2026-33671 High 7.5 picomatch-2.3.1.tgz Transitive N/A*
CVE-2026-32141 High 7.5 flatted-3.3.3.tgz Transitive N/A*
CVE-2026-27904 High 7.5 detected in multiple dependencies Transitive 5.0.0
CVE-2026-27903 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-27601 High 7.5 underscore-1.12.1.tgz Transitive N/A*
CVE-2026-26996 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2025-66031 High 7.5 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2024-4068 High 7.5 braces-2.3.2.tgz Transitive N/A*
CVE-2024-21538 High 7.5 cross-spawn-7.0.3.tgz Transitive N/A*
CVE-2024-21536 High 7.5 http-proxy-middleware-0.19.1.tgz Transitive N/A*
CVE-2022-37603 High 7.5 loader-utils-2.0.0.tgz Transitive 5.0.0
CVE-2022-37599 High 7.5 loader-utils-2.0.0.tgz Transitive 5.0.0
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2022-24772 High 7.5 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2022-24771 High 7.5 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2021-3803 High 7.5 nth-check-1.0.2.tgz Transitive N/A*
CVE-2021-3757 High 7.5 immer-8.0.1.tgz Transitive N/A*
CVE-2026-33896 High 7.4 node-forge-0.10.0.tgz Transitive N/A*
CVE-2024-29180 High 7.4 webpack-dev-middleware-3.7.3.tgz Transitive 5.0.0
CVE-2025-13465 High 7.2 lodash-4.17.21.tgz Transitive N/A*
CVE-2021-23337 High 7.2 lodash.template-4.5.0.tgz Transitive N/A*
CVE-2026-31802 High 7.1 tar-6.2.1.tgz Transitive N/A*
CVE-2026-29786 High 7.1 tar-6.2.1.tgz Transitive N/A*
CVE-2026-26960 High 7.1 tar-6.2.1.tgz Transitive 5.0.0
CVE-2026-23745 High 7.1 tar-6.2.1.tgz Transitive N/A*
CVE-2025-6547 Medium 6.8 pbkdf2-3.1.2.tgz Transitive 5.0.0
WS-2022-0008 Medium 6.6 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2026-33750 Medium 6.5 brace-expansion-1.1.11.tgz Transitive N/A*
CVE-2025-30360 Medium 6.5 webpack-dev-server-3.11.1.tgz Transitive N/A*
CVE-2024-43788 Medium 6.4 webpack-4.44.2.tgz Transitive 5.0.0
CVE-2024-47068 Medium 6.1 rollup-1.32.1.tgz Transitive 5.0.0
CVE-2026-34043 Medium 5.9 detected in multiple dependencies Transitive N/A*
CVE-2025-14505 Medium 5.6 elliptic-6.6.1.tgz Transitive N/A*
CVE-2021-23436 Medium 5.6 immer-8.0.1.tgz Transitive N/A*
CVE-2024-11831 Medium 5.4 detected in multiple dependencies Transitive N/A*
CVE-2026-33672 Medium 5.3 picomatch-2.3.1.tgz Transitive N/A*
CVE-2026-2739 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2025-66030 Medium 5.3 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2025-64718 Medium 5.3 js-yaml-3.14.1.tgz Transitive N/A*
CVE-2025-30359 Medium 5.3 webpack-dev-server-3.11.1.tgz Transitive N/A*
CVE-2024-4067 Medium 5.3 micromatch-3.1.10.tgz Transitive 5.0.0
CVE-2023-44270 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-25883 Medium 5.3 semver-7.3.2.tgz Transitive 5.0.0
CVE-2022-24773 Medium 5.3 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2022-0122 Medium 5.3 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2021-23364 Medium 5.3 browserslist-4.14.2.tgz Transitive 5.0.0
CVE-2020-28469 Medium 5.3 glob-parent-3.1.0.tgz Transitive 5.0.0
CVE-2026-33532 Medium 4.3 yaml-1.10.2.tgz Transitive N/A*
CVE-2025-32997 Medium 4.0 http-proxy-middleware-0.19.1.tgz Transitive 5.0.0
CVE-2025-32996 Medium 4.0 http-proxy-middleware-0.19.1.tgz Transitive 5.0.0
CVE-2024-33883 Medium 4.0 ejs-2.7.4.tgz Transitive N/A*
CVE-2026-2391 Low 3.7 detected in multiple dependencies Transitive 5.0.0
CVE-2025-15284 Low 3.7 detected in multiple dependencies Transitive 5.0.0
CVE-2025-7339 Low 3.4 on-headers-1.0.2.tgz Transitive 5.0.0
CVE-2026-3449 Low 3.3 once-1.1.2.tgz Transitive N/A*
CVE-2025-59437 Low 3.2 ip-1.1.9.tgz Transitive N/A*
CVE-2025-59436 Low 3.2 ip-1.1.9.tgz Transitive N/A*
CVE-2025-5889 Low 3.1 brace-expansion-1.1.11.tgz Transitive 5.0.0
CVE-2025-69873 Low 2.9 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • node-libs-browser-2.2.1.tgz
        • crypto-browserify-3.12.1.tgz
          • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

WS-2021-0153

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ejs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2026-33228

Vulnerable Library - flatted-3.3.3.tgz

A super light and fast circular JSON parser.

Library home page: https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/flatted/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • eslint-7.32.0.tgz
      • file-entry-cache-6.0.1.tgz
        • flat-cache-3.2.0.tgz
          • flatted-3.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "proto" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-03-20

URL: CVE-2026-33228

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-20

Fix Resolution: https://github.com/WebReflection/flatted.git - v3.4.2

Step up your Open Source Security Game with Mend here

CVE-2026-1615

Vulnerable Library - jsonpath-1.1.1.tgz

Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js.

Library home page: https://registry.npmjs.org/jsonpath/-/jsonpath-1.1.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/jsonpath/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • bfj-7.1.0.tgz
      • jsonpath-1.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Affected versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-09

URL: CVE-2026-1615

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-09

Fix Resolution (jsonpath): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-61140

Vulnerable Library - jsonpath-1.1.1.tgz

Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js.

Library home page: https://registry.npmjs.org/jsonpath/-/jsonpath-1.1.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/jsonpath/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • bfj-7.1.0.tgz
      • jsonpath-1.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Publish Date: 2026-01-28

URL: CVE-2025-61140

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6c59-mwgh-r2x6

Release Date: 2026-01-28

Fix Resolution: jsonpath - 1.2.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/react-dev-utils/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ejs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/shell-quote/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2026-27606

Vulnerable Library - rollup-1.32.1.tgz

Next-generation ES module bundler

Library home page: https://registry.npmjs.org/rollup/-/rollup-1.32.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/rollup/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-1.32.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

Publish Date: 2026-02-25

URL: CVE-2026-27606

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-25

Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0

Step up your Open Source Security Game with Mend here

CVE-2024-29415

Vulnerable Library - ip-1.1.9.tgz

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ip/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • ip-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2026-23950

Vulnerable Library - tar-6.2.1.tgz

Library home page: https://registry.npmjs.org/tar/-/tar-6.2.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/tar/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • terser-webpack-plugin-4.2.3.tgz
      • cacache-15.3.0.tgz
        • tar-6.2.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Publish Date: 2026-01-20

URL: CVE-2026-23950

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6q2-hw4h-h46w

Release Date: 2026-01-20

Fix Resolution (tar): 7.5.4

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/sha.js/package.json,/api-gateway/node_modules/sha.js/package.json,/ar-vr-experience/node_modules/sha.js/package.json,/on_chain_payment_solution/dapp/node_modules/sha.js/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • node-libs-browser-2.2.1.tgz
        • crypto-browserify-3.12.1.tgz
          • create-hash-1.2.0.tgz
            • sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution (sha.js): 2.4.12

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-7783

Vulnerable Library - form-data-3.0.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.3.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/form-data/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • jest-26.6.0.tgz
      • jest-cli-26.6.3.tgz
        • jest-config-26.6.3.tgz
          • jest-environment-jsdom-26.6.2.tgz
            • jsdom-16.7.0.tgz
              • form-data-3.0.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution (form-data): 3.0.4

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-12816

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Publish Date: 2025-11-25

URL: CVE-2025-12816

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5gfm-wpxj-wjgq

Release Date: 2025-11-25

Fix Resolution (node-forge): 1.3.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2026-24842

Vulnerable Library - tar-6.2.1.tgz

Library home page: https://registry.npmjs.org/tar/-/tar-6.2.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/tar/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • terser-webpack-plugin-4.2.3.tgz
      • cacache-15.3.0.tgz
        • tar-6.2.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Publish Date: 2026-01-28

URL: CVE-2026-24842

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-28

Fix Resolution (tar): 7.5.7

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2026-4867

Vulnerable Library - path-to-regexp-0.1.12.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/path-to-regexp/package.json,/token-incentive-system/node_modules/path-to-regexp/package.json,/api-gateway/node_modules/path-to-regexp/package.json,/rpa_automation/node_modules/path-to-regexp/package.json,/on_chain_payment_solution/dapp/node_modules/path-to-regexp/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • express-4.21.2.tgz
        • path-to-regexp-0.1.12.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

Publish Date: 2026-03-26

URL: CVE-2026-4867

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-37ch-88jc-xwx2

Release Date: 2026-03-26

Fix Resolution: path-to-regexp - 0.1.13

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions