Yarn Audit Report

12 unique from 45 overall vulnerabilities | 29,350 dependencies

high Regular Expression Denial of Service

  • Module: tough-cookie
  • Installed version: 2.2.2
  • Vulnerable: <2.3.3
  • Patched: >=2.3.3
  • Published: September 8, 2017 at 8:07:02 PM GMT+2
  • Reported by: Cristian-Alexandru Staicu
  • CVSS: 5
  • CWE-400
  • CVE-2017-15010

Overview

Affected versions of tough-cookie are susceptible to a regular expression denial of service.

The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

Remediation

Update to version 2.3.3 or later.

Issue #92

gulp-uncss>uncss>request>tough-cookie
More about this vulnerability

moderate Memory Exposure

  • Module: tunnel-agent
  • Installed version: 0.4.3
  • Vulnerable: <0.6.0
  • Patched: >=0.6.0
  • Published: April 24, 2018 at 10:30:16 PM GMT+2
  • Reported by: Сковорода Никита Андреевич
  • CVSS: 3
  • CWE-20

Overview

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Proof-of-concept:

require('request')({
  method: 'GET',
  uri: 'http://www.example.com',
  tunnel: true,
  proxy:{
    protocol: 'http:',
    host:'127.0.0.1',
    port:8080,
    auth:USERSUPPLIEDINPUT // number
  }
});

Remediation

Update to version 0.6.0 or later.

gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>caw>tunnel-agent
gulp-uncss>uncss>request>tunnel-agent
More about this vulnerability

moderate Prototype Pollution

  • Module: lodash
  • Installed version: 3.10.1
  • Vulnerable: <4.17.11
  • Patched: >=4.17.11
  • Published: February 13, 2019 at 5:16:53 PM GMT+1
  • Reported by: asgerf
  • CVSS: 3
  • CWE-471
  • CVE-2018-16487

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.11 or later.

favicons-webpack-plugin>favicons>cheerio>lodash
More about this vulnerability

moderate Prototype Pollution

  • Module: lodash
  • Installed version: 2.4.2
  • Vulnerable: <4.17.11
  • Patched: >=4.17.11
  • Published: February 13, 2019 at 5:16:53 PM GMT+1
  • Reported by: asgerf
  • CVSS: 3
  • CWE-471
  • CVE-2018-16487

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.11 or later.

favicons-webpack-plugin>favicons>merge-defaults>lodash
More about this vulnerability

moderate Prototype Pollution

  • Module: lodash
  • Installed version: 4.0.1
  • Vulnerable: <4.17.11
  • Patched: >=4.17.11
  • Published: February 13, 2019 at 5:16:53 PM GMT+1
  • Reported by: asgerf
  • CVSS: 3
  • CWE-471
  • CVE-2018-16487

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.11 or later.

gulp-uncss>uncss>lodash
More about this vulnerability

moderate Prototype Pollution

  • Module: hoek
  • Installed version: 2.16.3
  • Vulnerable: <= 4.2.0 || >= 5.0.0 < 5.0.3
  • Patched: > 4.2.0 < 5.0.0 || >= 5.0.3
  • Published: April 20, 2018 at 11:25:58 PM GMT+2
  • Reported by: HoLyVieR
  • CVSS: 5
  • CWE-471

Overview

Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.

This can be demonstrated like so:

var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

This type of attack can be used to overwrite existing properties causing a potential denial of service.

Remediation

Update to version 4.2.1, 5.0.3 or later.

gulp-cli>wreck>boom>hoek
gulp-cli>wreck>hoek
gulp-uncss>uncss>request>hawk>boom>hoek
gulp-uncss>uncss>request>hawk>cryptiles>boom>hoek
gulp-uncss>uncss>request>hawk>hoek
gulp-uncss>uncss>request>hawk>sntp>hoek
More about this vulnerability

moderate ReDoS via long string of semicolons

  • Module: tough-cookie
  • Installed version: 2.2.2
  • Vulnerable: >=0.9.7 <=2.2.2
  • Patched: >=2.3.0
  • Published: July 22, 2016 at 9:43:01 PM GMT+2
  • Reported by: David Kirchner
  • CVSS: 7
  • CWE-400
  • CVE-2016-1000232

Overview

Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.

Remediation

Update to version 2.3.0 or later.

gulp-uncss>uncss>request>tough-cookie
More about this vulnerability

low Regular Expression Denial of Service

  • Module: braces
  • Installed version: 1.8.5
  • Vulnerable: <2.3.1
  • Patched: >=2.3.1
  • Published: February 15, 2019 at 10:44:30 PM GMT+1
  • Reported by: Santosh Rao
  • CVSS: 4
  • CWE-185

Overview

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Remediation

Upgrade to version 2.3.1 or higher.

browser-sync>micromatch>braces
favicons-webpack-plugin>webpack>watchpack>chokidar>anymatch>micromatch>braces
gulp-cli>matchdep>micromatch>braces
gulp-imagemin>imagemin>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces
gulp-load-plugins>findup-sync>micromatch>braces
gulp-load-plugins>micromatch>braces
panini>vinyl-fs>glob-stream>micromatch>braces
webpack-stream>webpack>watchpack>chokidar>anymatch>micromatch>braces
More about this vulnerability

low Prototype Pollution

  • Module: lodash
  • Installed version: 3.10.1
  • Vulnerable: <4.17.5
  • Patched: >=4.17.5
  • Published: April 24, 2018 at 4:27:02 PM GMT+2
  • Reported by: Olivier Arteau (HoLyVieR)
  • CVSS: 1
  • CWE-471
  • CVE-2018-3721

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.5 or later.

favicons-webpack-plugin>favicons>cheerio>lodash
More about this vulnerability

low Prototype Pollution

  • Module: lodash
  • Installed version: 2.4.2
  • Vulnerable: <4.17.5
  • Patched: >=4.17.5
  • Published: April 24, 2018 at 4:27:02 PM GMT+2
  • Reported by: Olivier Arteau (HoLyVieR)
  • CVSS: 1
  • CWE-471
  • CVE-2018-3721

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.5 or later.

favicons-webpack-plugin>favicons>merge-defaults>lodash
More about this vulnerability

low Prototype Pollution

  • Module: lodash
  • Installed version: 4.0.1
  • Vulnerable: <4.17.5
  • Patched: >=4.17.5
  • Published: April 24, 2018 at 4:27:02 PM GMT+2
  • Reported by: Olivier Arteau (HoLyVieR)
  • CVSS: 1
  • CWE-471
  • CVE-2018-3721

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.5 or later.

gulp-uncss>uncss>lodash
More about this vulnerability

low Regular Expression Denial of Service

  • Module: debug
  • Installed version: 2.2.0
  • Vulnerable: <= 2.6.8 || >= 3.0.0 <= 3.0.1
  • Patched: >= 2.6.9 < 3.0.0 || >= 3.1.0
  • Published: September 25, 2017 at 8:55:55 PM GMT+2
  • Reported by: Cristian-Alexandru Staicu
  • CVSS: 5
  • CWE-400
  • CVE-2017-16137

Overview

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

Remediation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.

favicons-webpack-plugin>favicons>node-rest-client>debug
More about this vulnerability
Report generated at July 30, 2023 at 4:21:16 PM GMT+2