discord.js-14.6.0.tgz: 10 vulnerabilities (highest severity is: 7.5) #2
Description
Vulnerable Library - discord.js-14.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (discord.js version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-37890 |  High |
7.5 | ws-8.10.0.tgz | Transitive | 14.7.0 | ❌ |
| CVE-2023-24807 | High |
7.5 | undici-5.12.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-22150 |  Medium |
6.8 | undici-5.12.0.tgz | Transitive | 14.15.0 | ❌ |
| CVE-2023-23936 | Medium |
6.5 | undici-5.12.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-22036 | Medium |
5.9 | undici-5.12.0.tgz | Transitive | 15.0.0-core-gateway-rl.1762368996-5fa92a1ea | ❌ |
| CVE-2024-30260 |  Low |
3.9 | undici-5.12.0.tgz | Transitive | N/A* | ❌ |
| CVE-2024-24758 | Low |
3.9 | undici-5.12.0.tgz | Transitive | N/A* | ❌ |
| CVE-2023-45143 | Low |
3.9 | undici-5.12.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-47279 | Low |
3.1 | undici-5.12.0.tgz | Transitive | 14.15.0 | ❌ |
| CVE-2024-30261 | Low |
2.6 | undici-5.12.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-37890
Vulnerable Library - ws-8.10.0.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-8.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ ws-8.10.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 8.17.1
Direct dependency fix Resolution (discord.js): 14.7.0
Step up your Open Source Security Game with Mend here
CVE-2023-24807
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the "Headers.set()" and "Headers.append()" methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the "headerValueNormalize()" utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-02-16
URL: CVE-2023-24807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6ch-mqf9-qc9w
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
CVE-2025-22150
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution (undici): 5.28.5
Direct dependency fix Resolution (discord.js): 14.15.0
Step up your Open Source Security Game with Mend here
CVE-2023-23936
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect "host" HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the "headers.host" string before passing to undici.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-02-16
URL: CVE-2023-23936
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5r9g-qh6m-jxff
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
CVE-2026-22036
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 6.23.0
Direct dependency fix Resolution (discord.js): 15.0.0-core-gateway-rl.1762368996-5fa92a1ea
Step up your Open Source Security Game with Mend here
CVE-2024-30260
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for "fetch()", but did not clear them for "undici.request()". This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-04-04
URL: CVE-2024-30260
CVSS 3 Score Details (3.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-m4v8-wqvr-p9f7
Release Date: 2024-04-04
Fix Resolution: undici - 6.11.1,undici - 5.28.4
Step up your Open Source Security Game with Mend here
CVE-2024-24758
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear "Proxy-Authentication" headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-02-16
URL: CVE-2024-24758
CVSS 3 Score Details (3.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2023-45143
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear "Cookie" headers. By design, "cookie" headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-12
URL: CVE-2023-45143
CVSS 3 Score Details (3.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-wqq4-5wpv-mx2g
Release Date: 2023-10-12
Fix Resolution: undici - 5.26.2
Step up your Open Source Security Game with Mend here
CVE-2025-47279
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Publish Date: 2025-05-15
URL: CVE-2025-47279
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxrh-j4jr-qwg3
Release Date: 2025-05-15
Fix Resolution (undici): 5.29.0
Direct dependency fix Resolution (discord.js): 14.15.0
Step up your Open Source Security Game with Mend here
CVE-2024-30261
Vulnerable Library - undici-5.12.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- discord.js-14.6.0.tgz (Root Library)
- ❌ undici-5.12.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the "integrity" option passed to "fetch()", allowing "fetch()" to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-04-04
URL: CVE-2024-30261
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9qxr-qj54-h672
Release Date: 2024-04-04
Fix Resolution: undici - 6.11.1,undici - 5.28.4
Step up your Open Source Security Game with Mend here