react-scripts-1.0.17.tgz: 145 vulnerabilities (highest severity is: 9.8) #157
Description
Vulnerable Library - react-scripts-1.0.17.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/got/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/got/package.json
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (react-scripts version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-42282 |  Critical |
9.8 | ip-1.1.5.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-37601 | Critical |
9.8 | detected in multiple dependencies | Transitive | 4.0.0 | ❌ |
| CVE-2022-0691 | Critical |
9.8 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2021-44906 | Critical |
9.8 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2021-42740 | Critical |
9.8 | shell-quote-1.6.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3918 | Critical |
9.8 | json-schema-0.2.3.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-7720 | Critical |
9.8 | node-forge-0.6.33.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2019-19919 | Critical |
9.8 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-6342 | Critical |
9.8 | react-dev-utils-4.2.1.tgz | Transitive | N/A* | ❌ |
| CVE-2018-3774 | Critical |
9.8 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2018-3750 | Critical |
9.8 | deep-extend-0.4.2.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-16492 | Critical |
9.8 | extend-3.0.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-13797 | Critical |
9.8 | macaddress-0.2.8.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-1000620 | Critical |
9.8 | cryptiles-3.1.2.tgz | Transitive | 1.1.1 | ❌ |
| CVE-2025-6545 | Critical |
9.3 | pbkdf2-3.0.14.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2023-45133 | Critical |
9.3 | babel-traverse-6.26.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-9288 | Critical |
9.1 | sha.js-2.4.9.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2025-9287 | Critical |
9.1 | cipher-base-1.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2024-48949 | Critical |
9.1 | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-29415 | Critical |
9.1 | ip-1.1.5.tgz | Transitive | N/A* | ❌ |
| CVE-2022-0686 | Critical |
9.1 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2019-10744 | Critical |
9.1 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2018-3728 |  High |
8.8 | hoek-4.2.0.tgz | Transitive | 1.1.1 | ❌ |
| CVE-2025-7783 | High |
8.7 | form-data-2.3.1.tgz | Transitive | 4.0.0 | ❌ |
| WS-2019-0063 | High |
8.1 | detected in multiple dependencies | Transitive | 2.0.0 | ❌ |
| CVE-2022-1650 | High |
8.1 | eventsource-0.1.6.tgz | Transitive | 2.1.3 | ❌ |
| CVE-2020-36604 | High |
8.1 | hoek-4.2.0.tgz | Transitive | N/A* | ❌ |
| CVE-2019-20920 | High |
8.1 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-43138 | High |
7.8 | async-2.6.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-23386 | High |
7.7 | dns-packet-1.2.2.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-13822 | High |
7.7 | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ |
| WS-2021-0152 | High |
7.5 | color-string-0.3.0.tgz | Transitive | 2.0.0 | ❌ |
| WS-2020-0450 | High |
7.5 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| WS-2020-0091 | High |
7.5 | http-proxy-1.16.2.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0541 | High |
7.5 | macaddress-0.2.8.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0032 | High |
7.5 | detected in multiple dependencies | Transitive | 2.0.0 | ❌ |
| CVE-2024-52798 | High |
7.5 | path-to-regexp-0.1.7.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-45590 | High |
7.5 | body-parser-1.18.2.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-45296 | High |
7.5 | path-to-regexp-0.1.7.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-4068 | High |
7.5 | braces-1.8.5.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21538 | High |
7.5 | cross-spawn-5.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21536 | High |
7.5 | http-proxy-middleware-0.17.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37620 | High |
7.5 | html-minifier-3.5.8.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37603 | High |
7.5 | loader-utils-1.1.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-3517 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-24999 | High |
7.5 | qs-6.5.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-24772 | High |
7.5 | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24771 | High |
7.5 | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3807 | High |
7.5 | ansi-regex-3.0.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-3803 | High |
7.5 | nth-check-1.0.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-3777 | High |
7.5 | tmpl-1.0.4.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-33623 | High |
7.5 | trim-newlines-1.0.0.tgz | Transitive | 2.0.1 | ❌ |
| CVE-2021-29059 | High |
7.5 | is-svg-2.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2021-28092 | High |
7.5 | is-svg-2.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2021-27516 | High |
7.5 | urijs-1.19.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-23424 | High |
7.5 | ansi-html-0.0.7.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2020-7662 | High |
7.5 | websocket-extensions-0.1.3.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2019-20922 | High |
7.5 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-3737 | High |
7.5 | sshpk-1.13.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-16469 | High |
7.5 | merge-1.2.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-14732 | High |
7.5 | webpack-dev-server-2.9.4.tgz | Transitive | 2.0.0 | ❌ |
| WS-2018-0588 | High |
7.4 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2022-29167 | High |
7.4 | hawk-6.0.2.tgz | Transitive | 1.1.1 | ❌ |
| CVE-2020-8203 | High |
7.4 | lodash-4.17.4.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0064 | High |
7.3 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-8116 | High |
7.3 | dot-prop-3.0.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-7788 | High |
7.3 | ini-1.3.5.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-7774 | High |
7.3 | y18n-3.2.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-28499 | High |
7.3 | merge-1.2.0.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2021-23337 | High |
7.2 | lodash-4.17.4.tgz | Transitive | 1.1.0 | ❌ |
| WS-2018-0590 | High |
7.1 | diff-3.4.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-46175 | High |
7.1 | json5-0.5.1.tgz | Transitive | 3.0.0 | ❌ |
| CVE-2025-6547 |  Medium |
6.8 | pbkdf2-3.0.14.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-28498 | Medium |
6.8 | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ |
| WS-2022-0008 | Medium |
6.6 | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-30360 | Medium |
6.5 | webpack-dev-server-2.9.4.tgz | Transitive | N/A* | ❌ |
| CVE-2023-46234 | Medium |
6.5 | browserify-sign-4.0.4.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2023-26136 | Medium |
6.5 | tough-cookie-2.3.3.tgz | Transitive | 4.0.0 | ❌ |
| CVE-2022-0613 | Medium |
6.5 | urijs-1.19.0.tgz | Transitive | N/A* | ❌ |
| CVE-2020-26291 | Medium |
6.5 | urijs-1.19.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2019-1010266 | Medium |
6.5 | lodash-4.17.4.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-3721 | Medium |
6.5 | lodash-4.17.4.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2018-21270 | Medium |
6.5 | stringstream-0.0.5.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-43788 | Medium |
6.4 | webpack-3.8.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2024-29041 | Medium |
6.1 | express-4.16.2.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2023-28155 | Medium |
6.1 | request-2.83.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-1243 | Medium |
6.1 | urijs-1.19.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-1233 | Medium |
6.1 | urijs-1.19.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-0868 | Medium |
6.1 | urijs-1.19.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-0122 | Medium |
6.1 | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3647 | Medium |
6.1 | urijs-1.19.0.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0427 | Medium |
5.9 | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0424 | Medium |
5.9 | elliptic-6.4.0.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0103 | Medium |
5.6 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-24033 | Medium |
5.6 | react-dev-utils-4.2.1.tgz | Transitive | 4.0.0 | ❌ |
| CVE-2021-23383 | Medium |
5.6 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-23369 | Medium |
5.6 | handlebars-4.0.11.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-7789 | Medium |
5.6 | node-notifier-5.1.2.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-7598 | Medium |
5.6 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2020-15366 | Medium |
5.6 | ajv-5.5.2.tgz | Transitive | 2.0.0 | ❌ |
| CVE-2018-16487 | Medium |
5.6 | lodash-4.17.4.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0017 | Medium |
5.3 | clean-css-4.1.9.tgz | Transitive | 1.1.0 | ❌ |
| WS-2018-0347 | Medium |
5.3 | eslint-4.10.0.tgz | Transitive | N/A* | ❌ |
| WS-2017-3757 | Medium |
5.3 | content-type-parser-1.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-30359 | Medium |
5.3 | webpack-dev-server-2.9.4.tgz | Transitive | N/A* | ❌ |
| CVE-2024-47764 | Medium |
5.3 | cookie-0.3.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-42460 | Medium |
5.3 | elliptic-6.4.0.tgz | Transitive | N/A* | ❌ |
| CVE-2024-42459 | Medium |
5.3 | elliptic-6.4.0.tgz | Transitive | N/A* | ❌ |
| CVE-2024-4067 | Medium |
5.3 | micromatch-2.3.11.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2023-44270 | Medium |
5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-5.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25883 | Medium |
5.3 | semver-5.4.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24773 | Medium |
5.3 | node-forge-0.6.33.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24723 | Medium |
5.3 | urijs-1.19.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-21222 | Medium |
5.3 | css-what-2.1.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2022-0639 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2022-0512 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2021-3664 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2021-29060 | Medium |
5.3 | color-string-0.3.0.tgz | Transitive | 2.0.0 | ❌ |
| CVE-2021-27515 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2021-23382 | Medium |
5.3 | detected in multiple dependencies | Transitive | 3.0.0 | ❌ |
| CVE-2021-23362 | Medium |
5.3 | hosted-git-info-2.5.0.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2021-23343 | Medium |
5.3 | path-parse-1.0.5.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2020-8124 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.1.0 | ❌ |
| CVE-2020-7693 | Medium |
5.3 | sockjs-0.3.18.tgz | Transitive | 3.4.2 | ❌ |
| CVE-2020-7608 | Medium |
5.3 | detected in multiple dependencies | Transitive | 2.0.0 | ❌ |
| CVE-2020-28500 | Medium |
5.3 | lodash-4.17.4.tgz | Transitive | N/A* | ❌ |
| CVE-2020-28469 | Medium |
5.3 | glob-parent-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2018-1109 | Medium |
5.3 | braces-1.8.5.tgz | Transitive | N/A* | ❌ |
| CVE-2017-16028 | Medium |
5.3 | randomatic-1.1.7.tgz | Transitive | 1.1.0 | ❌ |
| WS-2019-0307 | Medium |
5.1 | mem-1.1.0.tgz | Transitive | 2.0.0 | ❌ |
| CVE-2024-43800 | Medium |
5.0 | serve-static-1.13.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-43799 | Medium |
5.0 | send-0.16.1.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-43796 | Medium |
5.0 | express-4.16.2.tgz | Transitive | 1.1.0 | ❌ |
| WS-2018-0103 | Medium |
4.8 | stringstream-0.0.5.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2024-48948 | Medium |
4.8 | elliptic-6.4.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-32997 | Medium |
4.0 | http-proxy-middleware-0.17.4.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-32996 | Medium |
4.0 | http-proxy-middleware-0.17.4.tgz | Transitive | 5.0.0 | ❌ |
| WS-2018-0589 |  Low |
3.7 | nwmatcher-1.4.3.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2025-7339 | Low |
3.4 | on-headers-1.0.1.tgz | Transitive | 3.3.0 | ❌ |
| CVE-2025-59437 | Low |
3.2 | ip-1.1.5.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59436 | Low |
3.2 | ip-1.1.5.tgz | Transitive | N/A* | ❌ |
| CVE-2025-5889 | Low |
3.1 | brace-expansion-1.1.8.tgz | Transitive | 1.1.0 | ❌ |
| CVE-2025-54798 | Low |
2.5 | tmp-0.0.33.tgz | Transitive | N/A* | ❌ |
| CVE-2024-27088 | Low |
0.0 | es5-ext-0.10.37.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (8 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2023-42282
Vulnerable Library - ip-1.1.5.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/ip/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/ip/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- webpack-dev-server-2.9.4.tgz
- ❌ ip-1.1.5.tgz (Vulnerable Library)
- webpack-dev-server-2.9.4.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz
loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/src/Middleware/SpaServices/samples/Webpack/node_modules/loader-utils/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- html-webpack-plugin-2.29.0.tgz
- ❌ loader-utils-0.2.17.tgz (Vulnerable Library)
- html-webpack-plugin-2.29.0.tgz
loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/loader-utils/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- css-loader-0.28.7.tgz
- ❌ loader-utils-1.1.0.tgz (Vulnerable Library)
- css-loader-0.28.7.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-0691
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- sockjs-client-1.1.4.tgz
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
- sockjs-client-1.1.4.tgz
- react-dev-utils-4.2.1.tgz
url-parse-1.2.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/url-parse/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- sockjs-client-1.1.4.tgz
- ❌ url-parse-1.2.0.tgz (Vulnerable Library)
- sockjs-client-1.1.4.tgz
- react-dev-utils-4.2.1.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2021-44906
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /src/SignalR/clients/ts/webdriver-tap-runner/package.json
Path to vulnerable library: /src/SignalR/clients/ts/webdriver-tap-runner/node_modules/extract-zip/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/minimist/package.json,/src/SignalR/clients/ts/webdriver-tap-runner/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- babel-loader-7.1.2.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- babel-loader-7.1.2.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/cosmiconfig/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/node_modules/meow/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/cosmiconfig/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/rc/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/meow/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/rc/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/sane/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/meow/node_modules/minimist/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/sane/node_modules/minimist/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- sw-precache-webpack-plugin-0.11.4.tgz
- sw-precache-5.2.0.tgz
- update-notifier-1.0.3.tgz
- latest-version-2.0.0.tgz
- package-json-2.4.0.tgz
- registry-auth-token-3.3.1.tgz
- rc-1.2.2.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- rc-1.2.2.tgz
- registry-auth-token-3.3.1.tgz
- package-json-2.4.0.tgz
- latest-version-2.0.0.tgz
- update-notifier-1.0.3.tgz
- sw-precache-5.2.0.tgz
- sw-precache-webpack-plugin-0.11.4.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2021-42740
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/shell-quote/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/shell-quote/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- react-dev-utils-4.2.1.tgz
- ❌ shell-quote-1.6.1.tgz (Vulnerable Library)
- react-dev-utils-4.2.1.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /src/SignalR/clients/ts/webdriver-tap-runner/package.json
Path to vulnerable library: /src/SignalR/clients/ts/webdriver-tap-runner/node_modules/json-schema/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/json-schema/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/node_modules/json-schema/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/json-schema/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- jest-environment-jsdom-20.0.3.tgz
- jsdom-9.12.0.tgz
- request-2.83.0.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
- jsprim-1.4.1.tgz
- http-signature-1.2.0.tgz
- request-2.83.0.tgz
- jsdom-9.12.0.tgz
- jest-environment-jsdom-20.0.3.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7720
Vulnerable Library - node-forge-0.6.33.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.33.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/node-forge/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- webpack-dev-server-2.9.4.tgz
- selfsigned-1.10.1.tgz
- ❌ node-forge-0.6.33.tgz (Vulnerable Library)
- selfsigned-1.10.1.tgz
- webpack-dev-server-2.9.4.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2019-19919
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/handlebars/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/handlebars/package.json
Dependency Hierarchy:
- react-scripts-1.0.17.tgz (Root Library)
- jest-20.0.4.tgz
- jest-cli-20.0.4.tgz
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- ❌ handlebars-4.0.11.tgz (Vulnerable Library)
- istanbul-reports-1.1.3.tgz
- istanbul-api-1.2.1.tgz
- jest-cli-20.0.4.tgz
- jest-20.0.4.tgz
Found in HEAD commit: e512408cb0b9fc17164d22b08f507d2e41131490
Found in base branch: main
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Converted from WS-2019-0368, on 2022-11-08.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w457-6q6x-cgp9
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend here