[Security] 10 known vulnerabilities found (CRITICAL severity) #2171
Description
Vulnerability Report
Hi there! We found 10 known vulnerabilities in this project's dependencies during a routine open-source security scan.
| CVE | Package | Current | Fixed | Severity | CVSS | EPSS |
|---|---|---|---|---|---|---|
| CVE-2021-44906 | minimist |
1.2.5 | 1.2.6 | CRITICAL | 9.8 | 0.88% |
| CVE-2023-28154 | webpack |
5.70.0 | 5.76.0 | CRITICAL | 9.8 | 1.24% |
| CVE-2023-23630 | eta |
1.12.3 | 2.0.0 | HIGH | 8.6 | 0.40% |
| CVE-2022-25967 | eta |
1.12.3 | 2.0.0 | HIGH | 8.1 | 14.70% |
| CVE-2021-43138 | async |
2.6.3 | 3.2.2 | HIGH | 7.8 | 0.68% |
| CVE-2024-21536 | http-proxy-middleware |
2.0.3 | 2.0.7 | HIGH | 7.5 | 0.35% |
| CVE-2022-3517 | minimatch |
3.0.4 | 3.0.5 | HIGH | 7.5 | 0.45% |
| CVE-2022-24771 | node-forge |
1.2.1 | 1.3.0 | HIGH | 7.5 | 0.14% |
| CVE-2022-24772 | node-forge |
1.2.1 | 1.3.0 | HIGH | 7.5 | 0.16% |
| CVE-2024-37890 | ws |
7.5.7 | 5.2.4 | HIGH | 7.5 | 0.54% |
Detailed analysis
CVE-2021-44906 — minimist@1.2.5
Prototype Pollution in minimist
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: CVSS 9.8 indicates critical severity with network-accessible attack vector requiring no privileges or user interaction, but scanner marked as LOW severity which is incorrect. Package version 1.2.5 is vulnerable (fixed in 1.2.6). Low EPSS (0.00882) and no KEV listing suggest limited active exploitation. Prototype pollution can lead to severe security issues but requires scheduling rather than immediate patching due to exploitation probability.
CVE-2023-28154 — webpack@5.70.0
Cross-realm object access in Webpack 5
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: Critical CVSS 9.8 vulnerability with network vector requiring no privileges or user interaction, indicating severe exploitability. However, very low EPSS (0.01242) suggests minimal real-world exploitation activity. Not on KEV list. The scanner's LOW severity appears inaccurate given the 9.8 CVSS score. Package version 5.70.0 is below the fixed version 5.76.0, making patching feasible.
CVE-2023-23630 — eta@1.12.3
XSS Attack with Express API
Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to
res.render.
- Priority: HIGH
- Recommended action: PATCH IMMEDIATELY
- Reasoning: CVSS 8.6 with network-accessible, no authentication required XSS vulnerability contradicts LOW scanner severity. Patch available (upgrade to 2.0.0). Despite low EPSS, the high CVSS and availability of fix warrant immediate patching.
CVE-2022-25967 — eta@1.12.3
Eta vulnerable to Code Injection via templates rendered with user-defined data
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.
Note: This is exploitable only for users who are rendering templates with user-defined data.
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: CVSS 8.1 indicates high severity RCE potential, but LOW scanner severity and moderate EPSS (0.147) suggest limited real-world exploitation. High attack complexity (AC:H) and specific exploitation conditions (user-defined template data) reduce immediate risk. Package version 1.12.3 is below fixed version 2.0.0. Override scanner severity due to RCE impact despite exploitation constraints.
CVE-2021-43138 — async@2.6.3
Prototype Pollution in async
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: CVSS 7.8 indicates high severity with potential for complete system compromise (C:H/I:H/A:H), but local attack vector and user interaction required limit immediate risk. Package version 2.6.3 is vulnerable with fix available in 2.6.4. Low EPSS score and no KEV listing suggest limited active exploitation. Prototype pollution can lead to privilege escalation warranting prompt patching.
CVE-2024-21536 — http-proxy-middleware@2.0.3
Denial of service in http-proxy-middleware
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
- Priority: HIGH
- Recommended action: PATCH IMMEDIATELY
- Reasoning: Scanner severity of LOW contradicts CVSS 7.5 (HIGH). This is a network-accessible DoS vulnerability requiring no privileges or user interaction that can crash the server. Despite low EPSS, the ease of exploitation and service impact warrant immediate patching.
CVE-2022-3517 — minimatch@3.0.4
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: CVSS 7.5 indicates high severity due to network accessibility with no authentication required, causing high availability impact. Scanner severity of LOW appears inaccurate given the CVSS score. While EPSS is low (0.00452), the ease of exploitation (AV:N/AC:L/PR:N/UI:N) and potential for denial of service warrants prioritized patching.
CVE-2022-24771 — node-forge@1.2.1
Improper Verification of Cryptographic Signature in node-forge
Forge (also called
node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unch...
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: CVSS 7.5 with network attack vector and no authentication required indicates significant risk despite low EPSS. The vulnerability allows signature forgery in cryptographic operations, which is a critical security control. Scanner severity of LOW appears inaccurate given the HIGH integrity impact and cryptographic nature. Patch is available in version 1.3.0.
CVE-2022-24772 — node-forge@1.2.1
Improper Verification of Cryptographic Signature in node-forge
Forge (also called
node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfoASN.1 structure. This can allow padding bytes to be remove...
- Priority: HIGH
- Recommended action: SCHEDULE PATCH
- Reasoning: Scanner severity of LOW contradicts CVSS 7.5 (High). This is a cryptographic signature verification bypass (CWE-347) with network attack vector requiring no privileges or user interaction. Despite low EPSS (0.00157), the high impact on integrity and availability of a patch (node-forge 1.3.0) make this a clear candidate for patching. The vulnerability allows signature forgery which could have serious security implications.
CVE-2024-37890 — ws@7.5.7
ws affected by a DoS when handling a request with many HTTP headers
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2....
- Priority: HIGH
- Recommended action: PATCH IMMEDIATELY
- Reasoning: CVSS 7.5 with network-accessible DoS vulnerability affecting ws package. Scanner severity of LOW is inaccurate given CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates high availability impact with no authentication required. Package ws@7.5.7 is vulnerable with fixes available in ws@7.5.10. Despite low EPSS (0.00541), the ease of exploitation and availability of proof-of-concept code warrants immediate patching.
Recommended Fix
Update the following dependencies:
Update minimist to version 1.2.6 or later
Update webpack to version 5.76.0 or later
Update eta to version 2.0.0 or later
Update async to version 3.2.2 or later
Update http-proxy-middleware to version 2.0.7 or later
Update minimatch to version 3.0.5 or later
Update node-forge to version 1.3.0 or later
Update ws to version 5.2.4 or later
This issue was generated by CVERiskPilot — an AI-powered vulnerability triage and compliance platform. Our scanner analyzed this project's dependency tree and cross-referenced findings against NVD, EPSS (exploit probability), and CISA KEV (known exploited vulnerabilities) data.
If this issue is not relevant or was filed in error, please close it and we apologize for the noise. We aim to only report actionable, high-severity findings with available fixes.