@storm-stack/core-0.47.0.tgz: 22 vulnerabilities (highest severity is: 8.6)

[mend-bolt-for-github]

Vulnerable Library - @storm-stack/core-0.47.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (@storm-stack/core version)	Remediation Possible**
CVE-2025-12816	High	8.6	node-forge-1.3.1.tgz	Transitive	0.48.0	❌
CVE-2026-22775	High	7.5	devalue-5.3.2.tgz	Transitive	0.48.0	❌
CVE-2026-22774	High	7.5	devalue-5.3.2.tgz	Transitive	0.48.0	❌
CVE-2025-66031	High	7.5	node-forge-1.3.1.tgz	Transitive	0.48.0	❌
CVE-2025-64756	High	7.5	detected in multiple dependencies	Transitive	0.48.0	❌
CVE-2025-15284	High	7.5	qs-6.13.0.tgz	Transitive	0.48.0	❌
CVE-2025-13465	High	7.2	lodash-4.17.21.tgz	Transitive	N/A*	❌
CVE-2025-64764	High	7.1	astro-5.14.1.tgz	Transitive	N/A*	❌
CVE-2025-66202	Medium	6.5	astro-5.14.1.tgz	Transitive	N/A*	❌
CVE-2025-64525	Medium	6.5	astro-5.14.1.tgz	Transitive	0.48.0	❌
CVE-2025-62522	Medium	6.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2025-61925	Medium	6.5	astro-5.14.1.tgz	Transitive	0.48.0	❌
CVE-2025-65019	Medium	5.4	detected in multiple dependencies	Transitive	0.48.0	❌
CVE-2026-24001	Medium	5.3	diff-5.2.0.tgz	Transitive	N/A*	❌
CVE-2025-66400	Medium	5.3	mdast-util-to-hast-13.2.0.tgz	Transitive	N/A*	❌
CVE-2025-66030	Medium	5.3	node-forge-1.3.1.tgz	Transitive	0.48.0	❌
CVE-2025-64765	Medium	5.3	astro-5.14.1.tgz	Transitive	N/A*	❌
CVE-2025-64718	Medium	5.3	js-yaml-4.1.0.tgz	Transitive	N/A*	❌
CVE-2025-68458	Low	3.7	webpack-5.102.0.tgz	Transitive	0.48.0	❌
CVE-2025-68157	Low	3.7	webpack-5.102.0.tgz	Transitive	0.48.0	❌
CVE-2025-64757	Low	3.5	astro-5.14.1.tgz	Transitive	N/A*	❌
CVE-2025-64745	Low	2.7	astro-5.14.1.tgz	Transitive	0.48.0	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-12816

Vulnerable Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • cli-1.5.8.tgz
    • dev-server-1.1.4.tgz
      • webpack-dev-server-5.2.2.tgz
        • selfsigned-2.4.1.tgz
          • ❌ node-forge-1.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Publish Date: 2025-11-25

URL: CVE-2025-12816

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5gfm-wpxj-wjgq

Release Date: 2025-11-25

Fix Resolution (node-forge): 1.3.2

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2026-22775

Vulnerable Library - devalue-5.3.2.tgz

Gets the job done when JSON.stringify can't

Library home page: https://registry.npmjs.org/devalue/-/devalue-5.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • ❌ devalue-5.3.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.

Publish Date: 2026-01-15

URL: CVE-2026-22775

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g2pg-6438-jwpf

Release Date: 2026-01-15

Fix Resolution (devalue): 5.6.2

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2026-22774

Vulnerable Library - devalue-5.3.2.tgz

Gets the job done when JSON.stringify can't

Library home page: https://registry.npmjs.org/devalue/-/devalue-5.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • ❌ devalue-5.3.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.

Publish Date: 2026-01-15

URL: CVE-2026-22774

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vw5p-8cq8-m7mv

Release Date: 2026-01-15

Fix Resolution (devalue): 5.6.2

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-66031

Vulnerable Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • cli-1.5.8.tgz
    • dev-server-1.1.4.tgz
      • webpack-dev-server-5.2.2.tgz
        • selfsigned-2.4.1.tgz
          • ❌ node-forge-1.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

Publish Date: 2025-11-26

URL: CVE-2025-66031

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-554w-wpv2-vw27

Release Date: 2025-11-26

Fix Resolution (node-forge): 1.3.2

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-64756

Vulnerable Libraries - glob-10.4.5.tgz, glob-11.0.3.tgz

glob-10.4.5.tgz

Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • esbuild-0.52.14.tgz
    • tsup-8.4.0.tgz
      • sucrase-3.35.0.tgz
        • ❌ glob-10.4.5.tgz (Vulnerable Library)

glob-11.0.3.tgz

the most correct and second fastest glob implementation in JavaScript

Library home page: https://registry.npmjs.org/glob/-/glob-11.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • build-tools-0.157.2.tgz
    • ❌ glob-11.0.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-11-17

URL: CVE-2025-64756

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5j98-mcp5-4vw2

Release Date: 2025-11-17

Fix Resolution (glob): 10.5.0

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Fix Resolution (glob): 10.5.0

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-15284

Vulnerable Library - qs-6.13.0.tgz

Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • cli-1.5.8.tgz
    • dev-server-1.1.4.tgz
      • webpack-dev-server-5.2.2.tgz
        • express-4.21.2.tgz
          • ❌ qs-6.13.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:

• arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
• Use bracket notation: a[]=value (not indexed a[0]=value)
  ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
  Attack scenario:
• Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
• Application parses with qs.parse(query, { arrayLimit: 100 })
• qs ignores limit, parses all 100,000 elements into array
• Server memory exhausted → application crashes or becomes unresponsive
• Service unavailable for all users
  Real-world impact:
• Single malicious request can crash server
• No authentication required
• Easy to automate and scale
• Affects any endpoint parsing query strings with bracket notation

Publish Date: 2025-12-29

URL: CVE-2025-15284

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6rw7-vpxm-498p

Release Date: 2025-12-29

Fix Resolution (qs): 6.14.1

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-13465

Vulnerable Library - lodash-4.17.21.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • api-extractor-7.52.11.tgz
    • ❌ lodash-4.17.21.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23

Publish Date: 2026-01-21

URL: CVE-2025-13465

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xxjr-mmjv-4gpg

Release Date: 2026-01-21

Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23

Step up your Open Source Security Game with Mend here

CVE-2025-64764

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

Publish Date: 2025-11-19

URL: CVE-2025-64764

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-19

Fix Resolution: https://github.com/withastro/astro.git - astro@5.15.8

Step up your Open Source Security Game with Mend here

CVE-2025-66202

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.

Publish Date: 2025-12-08

URL: CVE-2025-66202

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-12-09

Fix Resolution: https://github.com/withastro/astro.git - astro@5.15.8

Step up your Open Source Security Game with Mend here

CVE-2025-64525

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers "x-forwarded-proto" and "x-forwarded-port" are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via "x-forwarded-proto"), DoS via cache poisoning (if a CDN is present), SSRF (only via "x-forwarded-proto"), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.

Publish Date: 2025-11-13

URL: CVE-2025-64525

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hr2q-hp5q-x767

Release Date: 2025-11-13

Fix Resolution (astro): 5.15.5

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-62522

Vulnerable Libraries - vite-6.3.6.tgz, vite-7.1.5.tgz

vite-6.3.6.tgz

Native-ESM powered web dev build tool

Library home page: https://registry.npmjs.org/vite/-/vite-6.3.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • ❌ vite-6.3.6.tgz (Vulnerable Library)

vite-7.1.5.tgz

Native-ESM powered web dev build tool

Library home page: https://registry.npmjs.org/vite/-/vite-7.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ vite-7.1.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.

Publish Date: 2025-10-20

URL: CVE-2025-62522

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93m4-6634-74q7

Release Date: 2025-10-20

Fix Resolution: vite - 7.0.8,vite - 5.4.21,vite - 7.1.11,vite - 6.4.1

Step up your Open Source Security Game with Mend here

CVE-2025-61925

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in "X-Forwarded-Host" in output when using "Astro.url" without any validation. It is common for web servers such as nginx to route requests via the "Host" header, and forward on other request headers. As such as malicious request can be sent with both a "Host" header and an "X-Forwarded-Host" header where the values do not match and the "X-Forwarded-Host" header is malicious. Astro will then return the malicious value. This could result in any usages of the "Astro.url" value in code being manipulated by a request. For example if a user follows guidance and uses "Astro.url" for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.

Publish Date: 2025-10-10

URL: CVE-2025-61925

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5ff5-9fcw-vg88

Release Date: 2025-10-10

Fix Resolution (astro): 5.14.3

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-65019

Vulnerable Libraries - internal-helpers-0.7.3.tgz, astro-5.14.1.tgz

internal-helpers-0.7.3.tgz

Internal helpers used by core Astro packages.

Library home page: https://registry.npmjs.org/@astrojs/internal-helpers/-/internal-helpers-0.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • ❌ internal-helpers-0.7.3.tgz (Vulnerable Library)

astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.

Publish Date: 2025-11-19

URL: CVE-2025-65019

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-19

Fix Resolution (@astrojs/internal-helpers): 0.7.5

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Fix Resolution (astro): 0.7.5

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2026-24001

Vulnerable Library - diff-5.2.0.tgz

Library home page: https://registry.npmjs.org/diff/-/diff-5.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • ❌ diff-5.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters "\r", "\u2028", or "\u2029" can cause the "parsePatch" method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call "parsePatch" with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling "parsePatch" on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The "applyPatch" method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using "parsePatch". Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take "parsePatch" O(n³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: "\r", "\u2028", or "\u2029".
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-01-22

URL: CVE-2026-24001

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-22

Fix Resolution: https://github.com/kpdecker/jsdiff.git - v4.0.4,https://github.com/kpdecker/jsdiff.git - v5.2.2,https://github.com/kpdecker/jsdiff.git - v8.0.3

Step up your Open Source Security Game with Mend here

CVE-2025-66400

Vulnerable Library - mdast-util-to-hast-13.2.0.tgz

Library home page: https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • @astrojs/markdown-remark-6.3.7.tgz
      • remark-rehype-11.1.2.tgz
        • ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Publish Date: 2025-12-01

URL: CVE-2025-66400

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-12-01

Fix Resolution: https://github.com/syntax-tree/mdast-util-to-hast.git - 13.2.1

Step up your Open Source Security Game with Mend here

CVE-2025-66030

Vulnerable Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • cli-1.5.8.tgz
    • dev-server-1.1.4.tgz
      • webpack-dev-server-5.2.2.tgz
        • selfsigned-2.4.1.tgz
          • ❌ node-forge-1.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.

Publish Date: 2025-11-26

URL: CVE-2025-66030

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-65ch-62r8-g69g

Release Date: 2025-11-26

Fix Resolution (node-forge): 1.3.2

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-64765

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.

Publish Date: 2025-11-19

URL: CVE-2025-64765

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-19

Fix Resolution: https://github.com/withastro/astro.git - astro@5.15.8

Step up your Open Source Security Game with Mend here

CVE-2025-64718

Vulnerable Library - js-yaml-4.1.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • astro-5.14.1.tgz
    • ❌ js-yaml-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).

Publish Date: 2025-11-13

URL: CVE-2025-64718

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mh29-5h37-fv8m

Release Date: 2025-11-13

Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2

Step up your Open Source Security Game with Mend here

CVE-2025-68458

Vulnerable Library - webpack-5.102.0.tgz

Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.102.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ webpack-5.102.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

Publish Date: 2026-02-05

URL: CVE-2025-68458

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-8fgc-7cc6-rx7x

Release Date: 2026-02-05

Fix Resolution (webpack): 5.104.1

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-68157

Vulnerable Library - webpack-5.102.0.tgz

Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.102.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ webpack-5.102.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.

Publish Date: 2026-02-05

URL: CVE-2025-68157

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-38r7-794h-5758

Release Date: 2026-02-05

Fix Resolution (webpack): 5.104.0

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here

CVE-2025-64757

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.

Publish Date: 2025-11-19

URL: CVE-2025-64757

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-19

Fix Resolution: https://github.com/withastro/astro.git - astro@5.14.3

Step up your Open Source Security Game with Mend here

CVE-2025-64745

Vulnerable Library - astro-5.14.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @storm-stack/core-0.47.0.tgz (Root Library)
  • ❌ astro-5.14.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the "trailingSlash" configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.

Publish Date: 2025-11-13

URL: CVE-2025-64745

CVSS 3 Score Details (2.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w2vj-39qv-7vh7

Release Date: 2025-11-13

Fix Resolution (astro): 5.15.6

Direct dependency fix Resolution (@storm-stack/core): 0.48.0

Step up your Open Source Security Game with Mend here