Skip to content

WS-2018-0588 (High) detected in querystringify-0.0.4.tgz, querystringify-1.0.0.tgz #243

New issue
New issue
Open
Open
WS-2018-0588 (High) detected in querystringify-0.0.4.tgz, querystringify-1.0.0.tgz#243
Labels
security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Dec 2, 2020

WS-2018-0588 - High Severity Vulnerability

Vulnerable Libraries - querystringify-0.0.4.tgz, querystringify-1.0.0.tgz

querystringify-0.0.4.tgz

Querystringify - Small, simple but powerful query string parser.

Library home page: https://registry.npmjs.org/querystringify/-/querystringify-0.0.4.tgz

Path to dependency file: react-16.0.0/fixtures/fiber-debugger/node_modules/querystringify/package.json

Path to vulnerable library: react-16.0.0/fixtures/fiber-debugger/node_modules/querystringify/package.json,react-16.0.0/fixtures/ssr/node_modules/querystringify/package.json,react-16.0.0/fixtures/dom/node_modules/querystringify/package.json,react-16.0.0/fixtures/attribute-behavior/node_modules/querystringify/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • react-error-overlay-1.0.10.tgz
      • react-dev-utils-3.1.1.tgz
        • sockjs-client-1.1.4.tgz
          • eventsource-0.1.6.tgz
            • original-1.0.0.tgz
              • url-parse-1.0.5.tgz
                • querystringify-0.0.4.tgz (Vulnerable Library)
querystringify-1.0.0.tgz

Querystringify - Small, simple but powerful query string parser.

Library home page: https://registry.npmjs.org/querystringify/-/querystringify-1.0.0.tgz

Path to dependency file: react-16.0.0/fixtures/dom/node_modules/querystringify/package.json

Path to vulnerable library: react-16.0.0/fixtures/dom/node_modules/querystringify/package.json,react-16.0.0/fixtures/attribute-behavior/node_modules/querystringify/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • react-error-overlay-1.0.10.tgz
      • react-dev-utils-3.1.1.tgz
        • sockjs-client-1.1.4.tgz
          • url-parse-1.1.9.tgz
            • querystringify-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2a806761a8d27ad65d559febfdab96cc7efdbee5

Vulnerability Details

A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

Publish Date: 2018-04-19

URL: WS-2018-0588

CVSS 2 Score Details (7.6)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: unshiftio/querystringify@422eb4f

Release Date: 2019-06-04

Fix Resolution: 2.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions