graphql-4.6.1.tgz: 4 vulnerabilities (highest severity is: 8.8) #137
Description
Vulnerable Library - graphql-4.6.1.tgz
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/node-fetch/package.json
Found in HEAD commit: a8aac7ef7c0f326ac28134b733a159f6af102963
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (graphql version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-0235 |  High |
8.8 | node-fetch-2.6.1.tgz | Transitive | 4.6.2 | ❌ |
| CVE-2025-25290 |  Medium |
5.3 | request-5.4.14.tgz | Transitive | 7.1.1 | ❌ |
| CVE-2025-25289 | Medium |
5.3 | request-error-2.0.5.tgz | Transitive | N/A* | ❌ |
| CVE-2025-25285 | Medium |
5.3 | endpoint-6.0.11.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-0235
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/node-fetch/package.json
Dependency Hierarchy:
- graphql-4.6.1.tgz (Root Library)
- request-5.4.14.tgz
- ❌ node-fetch-2.6.1.tgz (Vulnerable Library)
- request-5.4.14.tgz
Found in HEAD commit: a8aac7ef7c0f326ac28134b733a159f6af102963
Found in base branch: develop
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (@octokit/graphql): 4.6.2
Step up your Open Source Security Game with Mend here
CVE-2025-25290
Vulnerable Library - request-5.4.14.tgz
Send parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node
Library home page: https://registry.npmjs.org/@octokit/request/-/request-5.4.14.tgz
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/@octokit/request/package.json
Dependency Hierarchy:
- graphql-4.6.1.tgz (Root Library)
- ❌ request-5.4.14.tgz (Vulnerable Library)
Found in HEAD commit: a8aac7ef7c0f326ac28134b733a159f6af102963
Found in base branch: develop
Vulnerability Details
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25290
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-rmvr-2pp2-xj38
Release Date: 2025-02-14
Fix Resolution (@octokit/request): 8.4.1
Direct dependency fix Resolution (@octokit/graphql): 7.1.1
Step up your Open Source Security Game with Mend here
CVE-2025-25289
Vulnerable Library - request-error-2.0.5.tgz
Error class for Octokit request errors
Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-2.0.5.tgz
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/@octokit/request-error/package.json
Dependency Hierarchy:
- graphql-4.6.1.tgz (Root Library)
- request-5.4.14.tgz
- ❌ request-error-2.0.5.tgz (Vulnerable Library)
- request-5.4.14.tgz
Found in HEAD commit: a8aac7ef7c0f326ac28134b733a159f6af102963
Found in base branch: develop
Vulnerability Details
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25289
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-02-14
Fix Resolution: @octokit/request-error - 5.1.1,6.1.7
Step up your Open Source Security Game with Mend here
CVE-2025-25285
Vulnerable Library - endpoint-6.0.11.tgz
Turns REST API endpoints into generic request options
Library home page: https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.11.tgz
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/@octokit/endpoint/package.json
Dependency Hierarchy:
- graphql-4.6.1.tgz (Root Library)
- request-5.4.14.tgz
- ❌ endpoint-6.0.11.tgz (Vulnerable Library)
- request-5.4.14.tgz
Found in HEAD commit: a8aac7ef7c0f326ac28134b733a159f6af102963
Found in base branch: develop
Vulnerability Details
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific "options" parameters, the "endpoint.parse(options)" call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the "parse" function within the "parse.ts" file of the npm package "@octokit/endpoint". Version 10.1.3 contains a patch for the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25285
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-x4c5-c7rf-jjgv
Release Date: 2025-02-14
Fix Resolution: @octokit/endpoint - 9.0.6,10.1.3
Step up your Open Source Security Game with Mend here