react-scripts-3.4.4.tgz: 49 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-jackfan.us.kg]

Vulnerable Library - react-scripts-3.4.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**	Reachability
CVE-2024-45296	High	7.5	path-to-regexp-0.1.7.tgz	Transitive	4.0.0	✅	Reachable
CVE-2024-47764	Medium	5.3	cookie-0.5.0.tgz	Transitive	N/A*	❌	Reachable
CVE-2024-43800	Medium	5.0	serve-static-1.15.0.tgz	Transitive	N/A*	❌	Reachable
CVE-2024-43799	Medium	5.0	send-0.18.0.tgz	Transitive	N/A*	❌	Reachable
CVE-2023-42282	Critical	9.8	ip-1.1.8.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2022-37601	Critical	9.8	detected in multiple dependencies	Transitive	5.0.0	✅	Unreachable
CVE-2021-42740	Critical	9.8	shell-quote-1.7.2.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2021-3757	Critical	9.8	immer-1.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2023-45133	Critical	9.3	traverse-7.18.2.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2024-48949	Critical	9.1	elliptic-6.5.4.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2024-29415	Critical	9.1	ip-1.1.8.tgz	Transitive	N/A*	❌	Unreachable
CVE-2024-4068	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
CVE-2024-37890	High	7.5	detected in multiple dependencies	Transitive	4.0.0	✅	Unreachable
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2022-37603	High	7.5	detected in multiple dependencies	Transitive	4.0.0	✅	Unreachable
CVE-2022-37599	High	7.5	loader-utils-2.0.2.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌	Unreachable
CVE-2022-24772	High	7.5	node-forge-0.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2022-24771	High	7.5	node-forge-0.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	N/A*	❌	Unreachable
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2020-28477	High	7.5	immer-1.10.0.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2024-29180	High	7.4	webpack-dev-middleware-3.7.3.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2023-26159	High	7.3	follow-redirects-1.15.1.tgz	Transitive	N/A*	❌	Unreachable
CVE-2022-46175	High	7.1	detected in multiple dependencies	Transitive	4.0.0	✅	Unreachable
WS-2022-0008	Medium	6.6	node-forge-0.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2024-28849	Medium	6.5	follow-redirects-1.15.1.tgz	Transitive	N/A*	❌	Unreachable
CVE-2023-46234	Medium	6.5	browserify-sign-4.2.1.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2023-26136	Medium	6.5	tough-cookie-2.5.0.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2024-43788	Medium	6.4	webpack-4.42.0.tgz	Transitive	N/A*	❌	Unreachable
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌	Unreachable
CVE-2022-0122	Medium	6.1	node-forge-0.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2021-24033	Medium	5.6	react-dev-utils-10.2.1.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2021-23436	Medium	5.6	immer-1.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2024-4067	Medium	5.3	micromatch-3.1.10.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2023-44270	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
CVE-2023-26115	Medium	5.3	word-wrap-1.2.3.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2022-25883	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
CVE-2022-24773	Medium	5.3	node-forge-0.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2021-23382	Medium	5.3	postcss-7.0.21.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2021-23368	Medium	5.3	postcss-7.0.21.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2021-23364	Medium	5.3	browserslist-4.10.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2020-28469	Medium	5.3	glob-parent-3.1.0.tgz	Transitive	5.0.0	✅	Unreachable
CVE-2024-27088	Low	0.0	es5-ext-0.10.61.tgz	Transitive	4.0.0	✅	Unreachable
CVE-2024-52798	High	7.5	path-to-regexp-0.1.7.tgz	Transitive	4.0.0	✅
CVE-2024-21538	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-21536	High	7.5	http-proxy-middleware-0.19.1.tgz	Transitive	5.0.0	✅
CVE-2024-11831	Medium	5.4	serialize-javascript-4.0.0.tgz	Transitive	N/A*	❌
CVE-2024-48948	Medium	4.8	elliptic-6.5.4.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-45296

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-to-regexp/package.json,/backend/node_modules/path-to-regexp/package.json,/frontend/node_modules/express/node_modules/path-to-regexp/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • express-4.18.1.tgz
      • ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

damn-vulnerable-crypto-app-backend-1.0.0/src/middlewares/cspMiddleware.ts (Application)
  -> express-4.18.1/index.js (Extension)
   -> express-4.18.1/lib/express.js (Extension)
    -> express-4.18.1/lib/router/index.js (Extension)
     -> express-4.18.1/lib/router/layer.js (Extension)
      -> ❌ path-to-regexp-0.1.7/index.js (Vulnerable Component)

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: 2024-09-09

URL: CVE-2024-45296

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: 2024-09-09

Fix Resolution (path-to-regexp): 0.1.10

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-47764

Vulnerable Library - cookie-0.5.0.tgz

HTTP server cookie parsing and serialization

Library home page: https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz

Path to dependency file: /backend/package.json

Path to vulnerable library: /backend/node_modules/express/node_modules/cookie/package.json,/node_modules/cookie/package.json,/frontend/node_modules/cookie/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • express-4.18.1.tgz
      • ❌ cookie-0.5.0.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

damn-vulnerable-crypto-app-backend-1.0.0/src/middlewares/cspMiddleware.ts (Application)
  -> express-4.18.1/index.js (Extension)
   -> express-4.18.1/lib/express.js (Extension)
    -> express-4.18.1/lib/response.js (Extension)
     -> ❌ cookie-0.5.0/index.js (Vulnerable Component)

Vulnerability Details

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Publish Date: 2024-10-04

URL: CVE-2024-47764

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pxg6-pf52-xh8x

Release Date: 2024-10-04

Fix Resolution: cookie - 0.7.0

CVE-2024-43800

Vulnerable Library - serve-static-1.15.0.tgz

Serve static files

Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz

Path to dependency file: /backend/package.json

Path to vulnerable library: /backend/node_modules/serve-static/package.json,/frontend/node_modules/serve-static/package.json,/node_modules/serve-static/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • express-4.18.1.tgz
      • ❌ serve-static-1.15.0.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

damn-vulnerable-crypto-app-backend-1.0.0/src/middlewares/cspMiddleware.ts (Application)
  -> express-4.18.1/index.js (Extension)
   -> express-4.18.1/lib/express.js (Extension)
    -> ❌ serve-static-1.15.0/index.js (Vulnerable Component)

Vulnerability Details

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

Publish Date: 2024-09-10

URL: CVE-2024-43800

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm22-4g7w-348p

Release Date: 2024-09-10

Fix Resolution: serve-static - 1.16.0,2.1.0

CVE-2024-43799

Vulnerable Library - send-0.18.0.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.18.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/send/package.json,/node_modules/send/package.json,/backend/node_modules/send/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • express-4.18.1.tgz
      • ❌ send-0.18.0.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

damn-vulnerable-crypto-app-backend-1.0.0/src/middlewares/cspMiddleware.ts (Application)
  -> express-4.18.1/index.js (Extension)
   -> express-4.18.1/lib/express.js (Extension)
    -> express-4.18.1/lib/response.js (Extension)
     -> ❌ send-0.18.0/index.js (Vulnerable Component)

Vulnerability Details

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

Publish Date: 2024-09-10

URL: CVE-2024-43799

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6fv-jmcg-4jfg

Release Date: 2024-09-10

Fix Resolution: send - 0.19.0

CVE-2023-42282

Vulnerable Library - ip-1.1.8.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • ❌ ip-1.1.8.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37601

Vulnerable Libraries - loader-utils-2.0.2.tgz, loader-utils-1.4.0.tgz, loader-utils-1.2.3.tgz

loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/frontend/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • adjust-sourcemap-loader-3.0.0.tgz
      • ❌ loader-utils-2.0.2.tgz (Vulnerable Library)

loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • file-loader-4.3.0.tgz
    • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/react-dev-utils/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3757

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-45133

Vulnerable Library - traverse-7.18.2.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/traverse/package.json,/frontend/node_modules/@babel/traverse/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-4.3.3.tgz
    • core-7.18.2.tgz
      • ❌ traverse-7.18.2.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-48949

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-4.42.0.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.4.tgz
          • ❌ elliptic-6.5.4.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-29415

Vulnerable Library - ip-1.1.8.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • ❌ ip-1.1.8.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Mend Note: We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2024-4068

Vulnerable Libraries - braces-2.3.2.tgz, braces-3.0.2.tgz

braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • chokidar-2.1.8.tgz
      • ❌ braces-2.3.2.tgz (Vulnerable Library)

braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/watchpack/node_modules/braces/package.json,/frontend/node_modules/braces/package.json,/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-4.42.0.tgz
    • watchpack-1.7.5.tgz
      • chokidar-3.5.3.tgz
        • ❌ braces-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2024-37890

Vulnerable Libraries - ws-5.2.3.tgz, ws-6.2.2.tgz

ws-5.2.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jest-environment-jsdom/node_modules/ws/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • ❌ ws-5.2.3.tgz (Vulnerable Library)

ws-6.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • ❌ ws-6.2.2.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • rework-1.0.1.tgz
      • css-2.2.4.tgz
        • source-map-resolve-0.5.3.tgz
          • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37603

Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-2.0.2.tgz, loader-utils-1.2.3.tgz

loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • file-loader-4.3.0.tgz
    • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/frontend/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • adjust-sourcemap-loader-3.0.0.tgz
      • ❌ loader-utils-2.0.2.tgz (Vulnerable Library)

loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/react-dev-utils/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: a3ba1679b8965c9f00f5ca1f92a5800372757c57

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.