Skip to content

react-native-0.79.2.tgz: 19 vulnerabilities (highest severity is: 9.8) #218

Open
Open
react-native-0.79.2.tgz: 19 vulnerabilities (highest severity is: 9.8)#218
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jun 11, 2025
Vulnerable Library - react-native-0.79.2.tgz

Path to dependency file: /Multiparty/package.json

Path to vulnerable library: /Archiving/node_modules/fast-xml-parser/package.json,/Signaling/node_modules/fast-xml-parser/package.json,/ScreenSharing/node_modules/fast-xml-parser/package.json,/BasicVideoChat/node_modules/fast-xml-parser/package.json,/BackgroundBlur/node_modules/fast-xml-parser/package.json,/BasicVideoChatNewArchitecture/node_modules/fast-xml-parser/package.json,/Multiparty/node_modules/fast-xml-parser/package.json

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (react-native version) Remediation Possible** Reachability
CVE-2025-11953 Critical 9.8 High 3.4% detected in multiple dependencies Transitive 0.79.3

Unreachable
CVE-2026-25896 Critical 9.3 Not Defined 0.0% fast-xml-parser-4.5.3.tgz Transitive N/A*

Unreachable
CVE-2026-27904 High 7.5 Not Defined 0.0% minimatch-3.1.2.tgz Transitive 0.79.3

Unreachable
CVE-2026-27903 High 7.5 Not Defined 0.0% minimatch-3.1.2.tgz Transitive N/A*

Unreachable
CVE-2026-26996 High 7.5 Not Defined 0.0% minimatch-3.1.2.tgz Transitive N/A*

Unreachable
CVE-2026-26278 High 7.5 Not Defined 0.0% fast-xml-parser-4.5.3.tgz Transitive N/A*

Unreachable
CVE-2026-25128 High 7.5 Not Defined 0.1% fast-xml-parser-4.5.3.tgz Transitive N/A*

Unreachable
CVE-2026-27942 Medium 5.3 Not Defined 0.1% fast-xml-parser-4.5.3.tgz Transitive N/A*

Unreachable
CVE-2025-64718 Medium 5.3 Not Defined 0.0% detected in multiple dependencies Transitive N/A*

Unreachable
CVE-2026-2391 Low 3.7 Not Defined 0.1% qs-6.13.0.tgz Transitive 0.79.3

Unreachable
CVE-2025-15284 Low 3.7 Not Defined 0.1% qs-6.13.0.tgz Transitive 0.79.3

Unreachable
CVE-2025-7339 Low 3.4 Not Defined 0.0% on-headers-1.0.2.tgz Transitive 0.79.3

Unreachable
CVE-2025-5889 Low 3.1 Proof of concept 0.0% brace-expansion-1.1.11.tgz Transitive 0.79.3

Unreachable
CVE-2026-33671 High 7.5 Not Defined picomatch-2.3.1.tgz Transitive N/A*
CVE-2026-33036 High 7.5 Not Defined 0.1% fast-xml-parser-4.5.3.tgz Transitive N/A*
CVE-2026-33750 Medium 6.5 Not Defined brace-expansion-1.1.11.tgz Transitive N/A*
CVE-2026-33349 Medium 5.9 Not Defined 0.0% fast-xml-parser-4.5.3.tgz Transitive N/A*
CVE-2026-33672 Medium 5.3 Not Defined picomatch-2.3.1.tgz Transitive N/A*
CVE-2026-33532 Medium 4.3 Not Defined yaml-2.8.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (14 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-11953

Vulnerable Libraries - cli-18.0.0.tgz, cli-server-api-18.0.0.tgz

cli-18.0.0.tgz

React Native CLI

Library home page: https://registry.npmjs.org/@react-native-community/cli/-/cli-18.0.0.tgz

Path to dependency file: /ScreenSharing/package.json

Path to vulnerable library: /ScreenSharing/node_modules/@react-native-community/cli/package.json,/Signaling/node_modules/@react-native-community/cli/package.json,/ArchivingNewArchitecture/node_modules/@react-native-community/cli/package.json,/BasicVideoChatNewArchitecture/node_modules/@react-native-community/cli/package.json,/Multiparty/node_modules/@react-native-community/cli/package.json,/BackgroundBlur/node_modules/@react-native-community/cli/package.json,/MultipartyNewArchitecture/node_modules/@react-native-community/cli/package.json,/BasicVideoChat/node_modules/@react-native-community/cli/package.json,/Archiving/node_modules/@react-native-community/cli/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz (Vulnerable Library)

cli-server-api-18.0.0.tgz

Library home page: https://registry.npmjs.org/@react-native-community/cli-server-api/-/cli-server-api-18.0.0.tgz

Path to dependency file: /Signaling/package.json

Path to vulnerable library: /Signaling/node_modules/@react-native-community/cli-server-api/package.json,/Multiparty/node_modules/@react-native-community/cli-server-api/package.json,/ArchivingNewArchitecture/node_modules/@react-native-community/cli-server-api/package.json,/Archiving/node_modules/@react-native-community/cli-server-api/package.json,/MultipartyNewArchitecture/node_modules/@react-native-community/cli-server-api/package.json,/BasicVideoChat/node_modules/@react-native-community/cli-server-api/package.json,/ScreenSharing/node_modules/@react-native-community/cli-server-api/package.json,/BackgroundBlur/node_modules/@react-native-community/cli-server-api/package.json,/BasicVideoChatNewArchitecture/node_modules/@react-native-community/cli-server-api/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-server-api-18.0.0.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-11-03

URL: CVE-2025-11953

Threat Assessment

Exploit Maturity: High

EPSS: 3.4%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-399j-vxmf-hjvr

Release Date: 2025-11-03

Fix Resolution (@react-native-community/cli): 18.0.1

Direct dependency fix Resolution (react-native): 0.79.3

Fix Resolution (@react-native-community/cli-server-api): 18.0.1

Direct dependency fix Resolution (react-native): 0.79.3

In order to enable automatic remediation, please create workflow rules

CVE-2026-25896

Vulnerable Library - fast-xml-parser-4.5.3.tgz

Validate XML, Parse XML, Build XML without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.3.tgz

Path to dependency file: /Archiving/package.json

Path to vulnerable library: /Archiving/node_modules/fast-xml-parser/package.json,/Signaling/node_modules/fast-xml-parser/package.json,/ScreenSharing/node_modules/fast-xml-parser/package.json,/BasicVideoChat/node_modules/fast-xml-parser/package.json,/BackgroundBlur/node_modules/fast-xml-parser/package.json,/BasicVideoChatNewArchitecture/node_modules/fast-xml-parser/package.json,/Multiparty/node_modules/fast-xml-parser/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-doctor-18.0.0.tgz
          • cli-platform-apple-18.0.0.tgz
            • fast-xml-parser-4.5.3.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-20

URL: CVE-2026-25896

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-20

Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.5

CVE-2026-27904

Vulnerable Library - minimatch-3.1.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz

Path to dependency file: /BasicVideoChat/package.json

Path to vulnerable library: /BasicVideoChat/node_modules/test-exclude/node_modules/minimatch/package.json,/BackgroundBlur/node_modules/test-exclude/node_modules/minimatch/package.json,/Signaling/node_modules/glob/node_modules/minimatch/package.json,/ScreenSharing/node_modules/glob/node_modules/minimatch/package.json,/BasicVideoChat/node_modules/glob/node_modules/minimatch/package.json,/Multiparty/node_modules/glob/node_modules/minimatch/package.json,/BackgroundBlur/node_modules/glob/node_modules/minimatch/package.json,/ScreenSharing/node_modules/test-exclude/node_modules/minimatch/package.json,/Archiving/node_modules/glob/node_modules/minimatch/package.json,/Multiparty/node_modules/test-exclude/node_modules/minimatch/package.json,/Signaling/node_modules/test-exclude/node_modules/minimatch/package.json,/Archiving/node_modules/test-exclude/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • glob-7.2.3.tgz
      • minimatch-3.1.2.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Publish Date: 2026-02-26

URL: CVE-2026-27904

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-23c5-xmqv-rm74

Release Date: 2026-02-26

Fix Resolution (minimatch): 3.1.4

Direct dependency fix Resolution (react-native): 0.79.3

In order to enable automatic remediation, please create workflow rules

CVE-2026-27903

Vulnerable Library - minimatch-3.1.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz

Path to dependency file: /BasicVideoChat/package.json

Path to vulnerable library: /BasicVideoChat/node_modules/test-exclude/node_modules/minimatch/package.json,/BackgroundBlur/node_modules/test-exclude/node_modules/minimatch/package.json,/Signaling/node_modules/glob/node_modules/minimatch/package.json,/ScreenSharing/node_modules/glob/node_modules/minimatch/package.json,/BasicVideoChat/node_modules/glob/node_modules/minimatch/package.json,/Multiparty/node_modules/glob/node_modules/minimatch/package.json,/BackgroundBlur/node_modules/glob/node_modules/minimatch/package.json,/ScreenSharing/node_modules/test-exclude/node_modules/minimatch/package.json,/Archiving/node_modules/glob/node_modules/minimatch/package.json,/Multiparty/node_modules/test-exclude/node_modules/minimatch/package.json,/Signaling/node_modules/test-exclude/node_modules/minimatch/package.json,/Archiving/node_modules/test-exclude/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • glob-7.2.3.tgz
      • minimatch-3.1.2.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.

Publish Date: 2026-02-26

URL: CVE-2026-27903

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7r86-cg39-jmmj

Release Date: 2026-02-26

Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6

CVE-2026-26996

Vulnerable Library - minimatch-3.1.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz

Path to dependency file: /BasicVideoChat/package.json

Path to vulnerable library: /BasicVideoChat/node_modules/test-exclude/node_modules/minimatch/package.json,/BackgroundBlur/node_modules/test-exclude/node_modules/minimatch/package.json,/Signaling/node_modules/glob/node_modules/minimatch/package.json,/ScreenSharing/node_modules/glob/node_modules/minimatch/package.json,/BasicVideoChat/node_modules/glob/node_modules/minimatch/package.json,/Multiparty/node_modules/glob/node_modules/minimatch/package.json,/BackgroundBlur/node_modules/glob/node_modules/minimatch/package.json,/ScreenSharing/node_modules/test-exclude/node_modules/minimatch/package.json,/Archiving/node_modules/glob/node_modules/minimatch/package.json,/Multiparty/node_modules/test-exclude/node_modules/minimatch/package.json,/Signaling/node_modules/test-exclude/node_modules/minimatch/package.json,/Archiving/node_modules/test-exclude/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • glob-7.2.3.tgz
      • minimatch-3.1.2.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-20

URL: CVE-2026-26996

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ppc-4f35-3m26

Release Date: 2026-02-19

Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7

CVE-2026-26278

Vulnerable Library - fast-xml-parser-4.5.3.tgz

Validate XML, Parse XML, Build XML without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.3.tgz

Path to dependency file: /Archiving/package.json

Path to vulnerable library: /Archiving/node_modules/fast-xml-parser/package.json,/Signaling/node_modules/fast-xml-parser/package.json,/ScreenSharing/node_modules/fast-xml-parser/package.json,/BasicVideoChat/node_modules/fast-xml-parser/package.json,/BackgroundBlur/node_modules/fast-xml-parser/package.json,/BasicVideoChatNewArchitecture/node_modules/fast-xml-parser/package.json,/Multiparty/node_modules/fast-xml-parser/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-doctor-18.0.0.tgz
          • cli-platform-apple-18.0.0.tgz
            • fast-xml-parser-4.5.3.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by "processEntities: false" option.

Publish Date: 2026-02-19

URL: CVE-2026-26278

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jmr7-xgp7-cmfj

Release Date: 2026-02-17

Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.6

CVE-2026-25128

Vulnerable Library - fast-xml-parser-4.5.3.tgz

Validate XML, Parse XML, Build XML without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.3.tgz

Path to dependency file: /Archiving/package.json

Path to vulnerable library: /Archiving/node_modules/fast-xml-parser/package.json,/Signaling/node_modules/fast-xml-parser/package.json,/ScreenSharing/node_modules/fast-xml-parser/package.json,/BasicVideoChat/node_modules/fast-xml-parser/package.json,/BackgroundBlur/node_modules/fast-xml-parser/package.json,/BasicVideoChatNewArchitecture/node_modules/fast-xml-parser/package.json,/Multiparty/node_modules/fast-xml-parser/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-doctor-18.0.0.tgz
          • cli-platform-apple-18.0.0.tgz
            • fast-xml-parser-4.5.3.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., "�" or "�"). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

Publish Date: 2026-01-30

URL: CVE-2026-25128

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-30

Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.4

CVE-2026-27942

Vulnerable Library - fast-xml-parser-4.5.3.tgz

Validate XML, Parse XML, Build XML without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.3.tgz

Path to dependency file: /Archiving/package.json

Path to vulnerable library: /Archiving/node_modules/fast-xml-parser/package.json,/Signaling/node_modules/fast-xml-parser/package.json,/ScreenSharing/node_modules/fast-xml-parser/package.json,/BasicVideoChat/node_modules/fast-xml-parser/package.json,/BackgroundBlur/node_modules/fast-xml-parser/package.json,/BasicVideoChatNewArchitecture/node_modules/fast-xml-parser/package.json,/Multiparty/node_modules/fast-xml-parser/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-doctor-18.0.0.tgz
          • cli-platform-apple-18.0.0.tgz
            • fast-xml-parser-4.5.3.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with "preserveOrder:true". Version 5.3.8 fixes the issue. As a workaround, use XML builder with "preserveOrder:false" or check the input data before passing to builder.

Publish Date: 2026-02-26

URL: CVE-2026-27942

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-26

Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.8,fast-xml-parser - 5.3.8

CVE-2025-64718

Vulnerable Libraries - js-yaml-3.14.1.tgz, js-yaml-4.1.0.tgz

js-yaml-3.14.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz

Path to dependency file: /Archiving/package.json

Path to vulnerable library: /Archiving/node_modules/metro-config/node_modules/js-yaml/package.json,/ScreenSharing/node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml/package.json,/ScreenSharing/node_modules/metro-config/node_modules/js-yaml/package.json,/BasicVideoChat/node_modules/metro-config/node_modules/js-yaml/package.json,/BackgroundBlur/node_modules/metro-config/node_modules/js-yaml/package.json,/Archiving/node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml/package.json,/BackgroundBlur/node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml/package.json,/BasicVideoChat/node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml/package.json,/Multiparty/node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml/package.json,/Multiparty/node_modules/metro-config/node_modules/js-yaml/package.json,/Signaling/node_modules/metro-config/node_modules/js-yaml/package.json,/Signaling/node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • babel-jest-29.7.0.tgz
      • babel-plugin-istanbul-6.1.1.tgz
        • load-nyc-config-1.1.0.tgz
          • js-yaml-3.14.1.tgz (Vulnerable Library)

js-yaml-4.1.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz

Path to dependency file: /Archiving/package.json

Path to vulnerable library: /Archiving/node_modules/js-yaml/package.json,/BasicVideoChat/node_modules/js-yaml/package.json,/Multiparty/node_modules/js-yaml/package.json,/BackgroundBlur/node_modules/js-yaml/package.json,/ScreenSharing/node_modules/js-yaml/package.json,/Signaling/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-config-18.0.0.tgz
          • cosmiconfig-9.0.0.tgz
            • js-yaml-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).

Publish Date: 2025-11-13

URL: CVE-2025-64718

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mh29-5h37-fv8m

Release Date: 2025-11-13

Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2

CVE-2026-2391

Vulnerable Library - qs-6.13.0.tgz

Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz

Path to dependency file: /ScreenSharing/package.json

Path to vulnerable library: /ScreenSharing/node_modules/qs/package.json,/BasicVideoChat/node_modules/qs/package.json,/BackgroundBlur/node_modules/qs/package.json,/Archiving/node_modules/qs/package.json,/Multiparty/node_modules/qs/package.json,/Signaling/node_modules/qs/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-server-api-18.0.0.tgz
          • body-parser-1.20.3.tgz
            • qs-6.13.0.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Summary
The "arrayLimit" option in qs does not enforce limits for comma-separated values when "comma: true" is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Details
When the "comma" option is set to "true" (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., "?param=a,b,c" becomes "['a', 'b', 'c']"). However, the limit check for "arrayLimit" (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in "parseArrayValue", enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
    return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
The "split(',')" returns the array immediately, skipping the subsequent limit check. Downstream merging via "utils.combine" does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., "?param=,,,,,,,,..."), allocating massive arrays in memory without triggering limits. It bypasses the intent of "arrayLimit", which is enforced correctly for indexed ("a[0]=") and bracket ("a[]=") notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
  const result = qs.parse(payload, options);
  console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
  console.log('Limit enforced:', e.message); // Not thrown
}
Configuration:

  • "comma: true"
  • "arrayLimit: 5"
  • "throwOnLimitExceeded: true"
    Expected: Throws "Array limit exceeded" error.
    Actual: Parses successfully, creating an array of length 26.
    Impact
    Denial of Service (DoS) via memory exhaustion.
    Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-12

URL: CVE-2026-2391

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7fw-mjwx-w883

Release Date: 2026-02-12

Fix Resolution (qs): 6.14.2

Direct dependency fix Resolution (react-native): 0.79.3

In order to enable automatic remediation, please create workflow rules

CVE-2025-15284

Vulnerable Library - qs-6.13.0.tgz

Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz

Path to dependency file: /ScreenSharing/package.json

Path to vulnerable library: /ScreenSharing/node_modules/qs/package.json,/BasicVideoChat/node_modules/qs/package.json,/BackgroundBlur/node_modules/qs/package.json,/Archiving/node_modules/qs/package.json,/Multiparty/node_modules/qs/package.json,/Signaling/node_modules/qs/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-server-api-18.0.0.tgz
          • body-parser-1.20.3.tgz
            • qs-6.13.0.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
Summary
The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.
Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly.
Details
The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoC
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
Impact
Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Publish Date: 2025-12-29

URL: CVE-2025-15284

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6rw7-vpxm-498p

Release Date: 2025-12-29

Fix Resolution (qs): 6.14.1

Direct dependency fix Resolution (react-native): 0.79.3

In order to enable automatic remediation, please create workflow rules

CVE-2025-7339

Vulnerable Library - on-headers-1.0.2.tgz

Execute a listener when a response is about to write headers

Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz

Path to dependency file: /Multiparty/package.json

Path to vulnerable library: /Multiparty/node_modules/on-headers/package.json,/ScreenSharing/node_modules/on-headers/package.json,/Archiving/node_modules/on-headers/package.json,/BackgroundBlur/node_modules/on-headers/package.json,/BasicVideoChat/node_modules/on-headers/package.json,/Signaling/node_modules/on-headers/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • community-cli-plugin-0.79.2.tgz
      • cli-18.0.0.tgz
        • cli-server-api-18.0.0.tgz
          • compression-1.8.0.tgz
            • on-headers-1.0.2.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-17

URL: CVE-2025-7339

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (3.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76c9-3jph-rj3q

Release Date: 2025-07-17

Fix Resolution (on-headers): 1.1.0

Direct dependency fix Resolution (react-native): 0.79.3

In order to enable automatic remediation, please create workflow rules

CVE-2025-5889

Vulnerable Library - brace-expansion-1.1.11.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz

Path to dependency file: /Signaling/package.json

Path to vulnerable library: /Signaling/node_modules/glob/node_modules/brace-expansion/package.json,/BasicVideoChat/node_modules/test-exclude/node_modules/brace-expansion/package.json,/Archiving/node_modules/glob/node_modules/brace-expansion/package.json,/Archiving/node_modules/test-exclude/node_modules/brace-expansion/package.json,/Signaling/node_modules/test-exclude/node_modules/brace-expansion/package.json,/BackgroundBlur/node_modules/glob/node_modules/brace-expansion/package.json,/BasicVideoChat/node_modules/glob/node_modules/brace-expansion/package.json,/Multiparty/node_modules/test-exclude/node_modules/brace-expansion/package.json,/BackgroundBlur/node_modules/test-exclude/node_modules/brace-expansion/package.json,/ScreenSharing/node_modules/glob/node_modules/brace-expansion/package.json,/ScreenSharing/node_modules/test-exclude/node_modules/brace-expansion/package.json,/Multiparty/node_modules/glob/node_modules/brace-expansion/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • glob-7.2.3.tgz
      • minimatch-3.1.2.tgz
        • brace-expansion-1.1.11.tgz (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-09

URL: CVE-2025-5889

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.0%

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v6h2-p8h4-qcjw

Release Date: 2025-06-09

Fix Resolution (brace-expansion): 1.1.12

Direct dependency fix Resolution (react-native): 0.79.3

In order to enable automatic remediation, please create workflow rules

CVE-2026-33671

Vulnerable Library - picomatch-2.3.1.tgz

Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.

Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz

Path to dependency file: /Signaling/package.json

Path to vulnerable library: /Signaling/node_modules/picomatch/package.json,/Archiving/node_modules/picomatch/package.json,/MultipartyNewArchitecture/node_modules/picomatch/package.json,/BackgroundBlur/node_modules/picomatch/package.json,/BasicVideoChatNewArchitecture/node_modules/picomatch/package.json,/ArchivingNewArchitecture/node_modules/picomatch/package.json,/BasicVideoChat/node_modules/picomatch/package.json,/Multiparty/node_modules/picomatch/package.json,/ScreenSharing/node_modules/picomatch/package.json

Dependency Hierarchy:

  • react-native-0.79.2.tgz (Root Library)
    • jest-environment-node-29.7.0.tgz
      • jest-util-29.7.0.tgz
        • picomatch-2.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.

Publish Date: 2026-03-26

URL: CVE-2026-33671

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2

In order to enable automatic remediation for this issue, please create workflow rules

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions