Skip to content

react-scripts-4.0.3.tgz: 48 vulnerabilities (highest severity is: 10.0) #38

New issue
New issue
Open
Open
react-scripts-4.0.3.tgz: 48 vulnerabilities (highest severity is: 10.0)#38
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on May 19, 2025
Vulnerable Library - react-scripts-4.0.3.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/js-yaml/package.json

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Possible**
CVE-2025-6545 Critical 10.0 pbkdf2-3.1.2.tgz Transitive 5.0.0
WS-2021-0153 Critical 9.8 ejs-2.7.4.tgz Transitive 5.0.0
CVE-2022-37601 Critical 9.8 loader-utils-2.0.0.tgz Transitive 5.0.0
CVE-2022-29078 Critical 9.8 ejs-2.7.4.tgz Transitive 5.0.0
CVE-2021-42740 Critical 9.8 shell-quote-1.7.2.tgz Transitive 5.0.0
CVE-2021-3757 Critical 9.8 immer-8.0.1.tgz Transitive N/A*
CVE-2025-9288 Critical 9.1 sha.js-2.4.11.tgz Transitive 5.0.0
CVE-2024-29415 Critical 9.1 ip-1.1.9.tgz Transitive N/A*
CVE-2024-33883 High 8.8 ejs-2.7.4.tgz Transitive N/A*
CVE-2025-7783 High 8.7 form-data-3.0.3.tgz Transitive 5.0.0
CVE-2025-12816 High 8.6 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2025-66031 High 7.5 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2025-15284 High 7.5 detected in multiple dependencies Transitive 5.0.0
CVE-2024-4068 High 7.5 braces-2.3.2.tgz Transitive N/A*
CVE-2024-21538 High 7.5 cross-spawn-7.0.3.tgz Transitive N/A*
CVE-2024-21536 High 7.5 http-proxy-middleware-0.19.1.tgz Transitive N/A*
CVE-2022-37603 High 7.5 loader-utils-2.0.0.tgz Transitive 5.0.0
CVE-2022-37599 High 7.5 loader-utils-2.0.0.tgz Transitive 5.0.0
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2022-24772 High 7.5 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2022-24771 High 7.5 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2021-3803 High 7.5 nth-check-1.0.2.tgz Transitive N/A*
CVE-2021-23424 High 7.5 ansi-html-0.0.7.tgz Transitive 5.0.0
CVE-2024-29180 High 7.4 webpack-dev-middleware-3.7.3.tgz Transitive 5.0.0
CVE-2021-23337 High 7.2 lodash.template-4.5.0.tgz Transitive N/A*
CVE-2025-6547 Medium 6.8 pbkdf2-3.1.2.tgz Transitive 5.0.0
WS-2022-0008 Medium 6.6 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2025-30360 Medium 6.5 webpack-dev-server-3.11.1.tgz Transitive N/A*
CVE-2024-43788 Medium 6.4 webpack-4.44.2.tgz Transitive 5.0.0
CVE-2024-47068 Medium 6.1 rollup-1.32.1.tgz Transitive 5.0.0
CVE-2022-0122 Medium 6.1 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2021-23436 Medium 5.6 immer-8.0.1.tgz Transitive N/A*
CVE-2024-11831 Medium 5.4 detected in multiple dependencies Transitive N/A*
CVE-2025-66030 Medium 5.3 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2025-64718 Medium 5.3 js-yaml-3.14.1.tgz Transitive N/A*
CVE-2025-30359 Medium 5.3 webpack-dev-server-3.11.1.tgz Transitive N/A*
CVE-2024-4067 Medium 5.3 micromatch-3.1.10.tgz Transitive 5.0.0
CVE-2023-44270 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-25883 Medium 5.3 semver-7.3.2.tgz Transitive 5.0.0
CVE-2022-24773 Medium 5.3 node-forge-0.10.0.tgz Transitive 5.0.0
CVE-2021-23364 Medium 5.3 browserslist-4.14.2.tgz Transitive 5.0.0
CVE-2020-28469 Medium 5.3 glob-parent-3.1.0.tgz Transitive 5.0.0
CVE-2025-32997 Medium 4.0 http-proxy-middleware-0.19.1.tgz Transitive 5.0.0
CVE-2025-32996 Medium 4.0 http-proxy-middleware-0.19.1.tgz Transitive 5.0.0
CVE-2025-7339 Low 3.4 on-headers-1.0.2.tgz Transitive 5.0.0
CVE-2025-59437 Low 3.2 ip-1.1.9.tgz Transitive N/A*
CVE-2025-59436 Low 3.2 ip-1.1.9.tgz Transitive N/A*
CVE-2025-5889 Low 3.1 brace-expansion-1.1.11.tgz Transitive 5.0.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/pbkdf2/package.json,/on_chain_payment_solution/dapp/node_modules/pbkdf2/package.json,/token-incentive-system/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • node-libs-browser-2.2.1.tgz
        • crypto-browserify-3.12.1.tgz
          • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

WS-2021-0153

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ejs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/react-dev-utils/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ejs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/shell-quote/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3757

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c36v-fmgq-m8hx

Release Date: 2021-09-02

Fix Resolution: immer - 9.0.6,immer - 9.0.6

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /token-incentive-system/package.json

Path to vulnerable library: /token-incentive-system/node_modules/sha.js/package.json,/api-gateway/node_modules/sha.js/package.json,/ar-vr-experience/node_modules/sha.js/package.json,/on_chain_payment_solution/dapp/node_modules/sha.js/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • node-libs-browser-2.2.1.tgz
        • crypto-browserify-3.12.1.tgz
          • create-hash-1.2.0.tgz
            • sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution (sha.js): 2.4.12

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-29415

Vulnerable Library - ip-1.1.9.tgz

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ip/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • ip-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2024-33883

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/ejs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Publish Date: 2024-04-28

URL: CVE-2024-33883

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883

Release Date: 2024-04-28

Fix Resolution: ejs - 3.1.10

Step up your Open Source Security Game with Mend here

CVE-2025-7783

Vulnerable Library - form-data-3.0.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.3.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/form-data/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • jest-26.6.0.tgz
      • jest-cli-26.6.3.tgz
        • jest-config-26.6.3.tgz
          • jest-environment-jsdom-26.6.2.tgz
            • jsdom-16.7.0.tgz
              • form-data-3.0.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution (form-data): 3.0.4

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-12816

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Publish Date: 2025-11-25

URL: CVE-2025-12816

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5gfm-wpxj-wjgq

Release Date: 2025-11-25

Fix Resolution (node-forge): 1.3.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-66031

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

Publish Date: 2025-11-26

URL: CVE-2025-66031

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-554w-wpv2-vw27

Release Date: 2025-11-26

Fix Resolution (node-forge): 1.3.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2025-15284

Vulnerable Libraries - qs-6.13.0.tgz, qs-6.14.0.tgz

qs-6.13.0.tgz

Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz

Path to dependency file: /api-gateway/package.json

Path to vulnerable library: /api-gateway/node_modules/qs/package.json,/on_chain_payment_solution/dapp/node_modules/express/node_modules/qs/package.json,/on_chain_payment_solution/dapp/node_modules/body-parser/node_modules/qs/package.json,/rpa_automation/node_modules/qs/package.json,/token-incentive-system/node_modules/qs/package.json,/ar-vr-experience/node_modules/qs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • express-4.21.2.tgz
        • qs-6.13.0.tgz (Vulnerable Library)

qs-6.14.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.14.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/qs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • url-0.11.4.tgz
        • qs-6.14.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 - Basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 - DoS demonstration: const qs = require('qs'); const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation

Publish Date: 2025-12-29

URL: CVE-2025-15284

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6rw7-vpxm-498p

Release Date: 2025-12-29

Fix Resolution (qs): 6.14.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (qs): 6.14.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/sane/node_modules/braces/package.json,/on_chain_payment_solution/dapp/node_modules/webpack/node_modules/braces/package.json,/on_chain_payment_solution/dapp/node_modules/watchpack-chokidar2/node_modules/braces/package.json,/on_chain_payment_solution/dapp/node_modules/webpack-dev-server/node_modules/braces/package.json,/on_chain_payment_solution/dapp/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json,/on_chain_payment_solution/dapp/node_modules/http-proxy-middleware/node_modules/braces/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • watchpack-1.7.5.tgz
        • watchpack-chokidar2-2.0.1.tgz
          • chokidar-2.1.8.tgz
            • braces-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2024-21538

Vulnerable Library - cross-spawn-7.0.3.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/react-dev-utils/node_modules/cross-spawn/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • cross-spawn-7.0.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: 2024-11-08

URL: CVE-2024-21538

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Release Date: 2024-11-08

Fix Resolution: org.webjars.npm:cross-spawn:6.0.6,org.webjars.npm:cross-spawn:7.0.5,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5

Step up your Open Source Security Game with Mend here

CVE-2024-21536

Vulnerable Library - http-proxy-middleware-0.19.1.tgz

The one-liner node.js proxy middleware for connect, express and browser-sync

Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.19.1.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/http-proxy-middleware/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • http-proxy-middleware-0.19.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Publish Date: 2024-10-19

URL: CVE-2024-21536

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c7qv-q95q-8v27

Release Date: 2024-10-19

Fix Resolution: http-proxy-middleware - 3.0.3,http-proxy-middleware - 2.0.7

Step up your Open Source Security Game with Mend here

CVE-2022-37603

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/react-dev-utils/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 2.0.4

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-37599

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/react-dev-utils/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhq3-ff78-jv3g

Release Date: 2022-10-11

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /on_chain_payment_solution/dapp/package.json

Path to vulnerable library: /on_chain_payment_solution/dapp/node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f8q6-p94x-37v3

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions