📂 Vulnerable Library - body-parser-1.18.3.tgz
Node.js body parsing middleware
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-154062-641864 |
🟣 Critical |
9.8 |
N/A |
N/A |
ee-first-1.1.1.tgz |
Transitive |
N/A |
❌ |
|
| CVE-275296-826791 |
🟣 Critical |
9.8 |
N/A |
N/A |
qs-6.5.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-587792-470342 |
🟣 Critical |
9.8 |
N/A |
N/A |
on-finished-2.3.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-24999 |
🔴 High |
8.7 |
Not Defined |
3.1% |
qs-6.5.2.tgz |
Transitive |
N/A |
❌ |
 Reachable |
Details
🟣CVE-154062-641864
Vulnerable Library - ee-first-1.1.1.tgz
return the first event in a set of ee/event pairs
Library home page: https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- body-parser-1.18.3.tgz (Root Library)
- on-finished-2.3.0.tgz
- ❌ ee-first-1.1.1.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-154062-641864
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-587792-470342
Vulnerable Library - on-finished-2.3.0.tgz
Execute a callback when a request closes, finishes, or errors
Library home page: https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
express-4.16.4.tgz (Root Library)
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
-
helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- finalhandler-0.4.1.tgz
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
-
body-parser-1.18.3.tgz (Root Library)
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-587792-470342
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- owasp-nodejs-goat-1.3.0/server.js (Application)
- body-parser-1.18.3/index.js (Extension)
- body-parser-1.18.3/lib/types/urlencoded.js (Extension)
- qs-6.5.2/lib/index.js (Extension)
- qs-6.5.2/lib/stringify.js (Extension)
-> ❌ qs-6.5.2/lib/utils.js (Vulnerable Component)
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hrpp-h998-j3pp
Release Date: Nov 26, 2022 12:00 AM
Fix Resolution : qs - 6.6.1,qs - 6.10.3,qs - 6.2.4,qs - 6.8.3,qs - 6.3.3,qs - 6.4.1,qs - 6.7.3,qs - 6.5.3,qs - 6.9.7
📂 Vulnerable Library - body-parser-1.18.3.tgz
Node.js body parsing middleware
Path to dependency file: /package.json
Findings
Details
🟣CVE-154062-641864
Vulnerable Library - ee-first-1.1.1.tgz
return the first event in a set of ee/event pairs
Library home page: https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-154062-641864
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.16.4.tgz (Root Library)
body-parser-1.18.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-587792-470342
Vulnerable Library - on-finished-2.3.0.tgz
Execute a callback when a request closes, finishes, or errors
Library home page: https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.16.4.tgz (Root Library)
helmet-2.3.0.tgz (Root Library)
body-parser-1.18.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-587792-470342
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.16.4.tgz (Root Library)
body-parser-1.18.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hrpp-h998-j3pp
Release Date: Nov 26, 2022 12:00 AM
Fix Resolution : qs - 6.6.1,qs - 6.10.3,qs - 6.2.4,qs - 6.8.3,qs - 6.3.3,qs - 6.4.1,qs - 6.7.3,qs - 6.5.3,qs - 6.9.7