📂 Vulnerable Library - prebuild-install-5.3.3.tgz
A command line tool to easily install prebuilt binaries for multiple version of node/iojs on a specific platform
Path to dependency file: /script/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-289561-266276 |
🟣 Critical |
9.8 |
N/A |
N/A |
inherits-2.0.4.tgz |
Transitive |
N/A |
❌ |
|
| CVE-495493-603164 |
🟣 Critical |
9.8 |
N/A |
N/A |
delegates-1.0.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-0355 |
🔴 High |
8.7 |
Not Defined |
< 1% |
simple-get-3.1.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2025-59343 |
🔴 High |
8.7 |
Not Defined |
< 1% |
tar-fs-2.0.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-8244 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
bl-3.0.0.tgz |
Transitive |
N/A |
❌ |
|
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
glob-7.1.6.tgz (Root Library)
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
fstream-1.0.12.tgz (Root Library)
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
express-4.18.2.tgz (Root Library)
- http-errors-2.0.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
- glob-4.3.1.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
markdown-preview-https://www.atom.io/api/packages/markdown-preview/versions/0.160.2/tarball.tgz (Root Library)
- cheerio-1.0.0-rc.3.tgz
- htmlparser2-3.10.1.tgz
- readable-stream-3.4.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
npm-8.19.2.tgz (Root Library)
- node-gyp-9.1.0.tgz
- glob-7.2.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
babel-core-5.8.38.tgz (Root Library)
- regenerator-0.8.40.tgz
- commoner-0.10.8.tgz
- glob-5.0.15.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
mocha-10.2.0.tgz (Root Library)
- glob-7.2.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
jasmine-tagged-1.1.4.tgz (Root Library)
- jasmine-focused-1.0.7.tgz
-
archive-view-https://www.atom.io/api/packages/archive-view/versions/0.65.2/tarball.tgz (Root Library)
- ls-archive-1.3.4.tgz
- tar-2.2.2.tgz
- block-stream-0.0.9.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
prebuild-install-5.3.3.tgz (Root Library)
- tar-fs-2.0.0.tgz
- tar-stream-2.1.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
fs-plus-3.1.1.tgz (Root Library)
- rimraf-2.7.1.tgz
- glob-7.2.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
atom-package-manager-2.6.5.tgz (Root Library)
- asar-require-0.3.0.tgz
- asar-0.12.1.tgz
- mksnapshot-0.3.5.tgz
- decompress-zip-0.3.3.tgz
- readable-stream-1.1.14.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
text-buffer-13.18.6.tgz (Root Library)
- fs-admin-0.19.0.tgz
- prebuild-install-6.1.3.tgz
- tar-fs-2.1.1.tgz
- tar-stream-2.2.0.tgz
- bl-4.1.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
fs-admin-0.19.0.tgz (Root Library)
- prebuild-install-6.1.3.tgz
- tar-fs-2.1.1.tgz
- tar-stream-2.2.0.tgz
- bl-4.1.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-495493-603164
Vulnerable Library - delegates-1.0.0.tgz
delegate methods and accessors to another property
Library home page: https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
prebuild-install-5.3.3.tgz (Root Library)
- npmlog-4.1.2.tgz
- are-we-there-yet-1.1.5.tgz
- ❌ delegates-1.0.0.tgz (Vulnerable Library)
-
atom-package-manager-2.6.5.tgz (Root Library)
- npm-6.14.17.tgz
- npmlog-4.1.2.tgz
- are-we-there-yet-1.1.4.tgz
- ❌ delegates-1.0.0.tgz (Vulnerable Library)
-
npm-8.19.2.tgz (Root Library)
- npmlog-6.0.2.tgz
- are-we-there-yet-3.0.1.tgz
- ❌ delegates-1.0.0.tgz (Vulnerable Library)
-
fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- npmlog-4.1.2.tgz
- are-we-there-yet-1.1.5.tgz
- ❌ delegates-1.0.0.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-495493-603164
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-0355
Vulnerable Library - simple-get-3.1.0.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
prebuild-install-5.3.3.tgz (Root Library)
- ❌ simple-get-3.1.0.tgz (Vulnerable Library)
-
text-buffer-13.18.6.tgz (Root Library)
- fs-admin-0.19.0.tgz
- prebuild-install-6.1.3.tgz
- ❌ simple-get-3.1.0.tgz (Vulnerable Library)
-
fs-admin-0.12.0.tgz (Root Library)
- prebuild-install-5.3.3.tgz
- ❌ simple-get-3.1.0.tgz (Vulnerable Library)
-
fs-admin-0.19.0.tgz (Root Library)
- prebuild-install-6.1.3.tgz
- ❌ simple-get-3.1.0.tgz (Vulnerable Library)
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
Publish Date: Jan 26, 2022 12:00 AM
URL: CVE-2022-0355
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wpg7-2c88-r8xv
Release Date: Jan 26, 2022 12:00 AM
Fix Resolution : simple-get - 2.8.2,simple-get - 3.1.1,simple-get - 4.0.1
🔴CVE-2025-59343
Vulnerable Library - tar-fs-2.0.0.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: Sep 24, 2025 05:43 PM
URL: CVE-2025-59343
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2025-59343
Release Date: Sep 24, 2025 05:43 PM
Fix Resolution : https://github.com/mafintosh/tar-fs.git - no_fix,tar-fs - 1.16.6,tar-fs - 2.1.4,tar-fs - 3.1.1
🟠CVE-2020-8244
Vulnerable Library - bl-3.0.0.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-3.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- prebuild-install-5.3.3.tgz (Root Library)
- tar-fs-2.0.0.tgz
- tar-stream-2.1.0.tgz
- ❌ bl-3.0.0.tgz (Vulnerable Library)
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: Aug 30, 2020 01:43 PM
URL: CVE-2020-8244
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: Aug 30, 2020 01:43 PM
Fix Resolution : bl - 4.0.3,bl - 3.0.1,bl - 2.2.1,bl - 1.2.3
📂 Vulnerable Library - prebuild-install-5.3.3.tgz
A command line tool to easily install prebuilt binaries for multiple version of node/iojs on a specific platform
Path to dependency file: /script/package.json
Findings
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
glob-7.1.6.tgz (Root Library)
fstream-1.0.12.tgz (Root Library)
express-4.18.2.tgz (Root Library)
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
markdown-preview-https://www.atom.io/api/packages/markdown-preview/versions/0.160.2/tarball.tgz (Root Library)
npm-8.19.2.tgz (Root Library)
babel-core-5.8.38.tgz (Root Library)
mocha-10.2.0.tgz (Root Library)
jasmine-tagged-1.1.4.tgz (Root Library)
archive-view-https://www.atom.io/api/packages/archive-view/versions/0.65.2/tarball.tgz (Root Library)
prebuild-install-5.3.3.tgz (Root Library)
fs-plus-3.1.1.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
text-buffer-13.18.6.tgz (Root Library)
fs-admin-0.19.0.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-495493-603164
Vulnerable Library - delegates-1.0.0.tgz
delegate methods and accessors to another property
Library home page: https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
prebuild-install-5.3.3.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
npm-8.19.2.tgz (Root Library)
fs-admin-0.12.0.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-495493-603164
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-0355
Vulnerable Library - simple-get-3.1.0.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
prebuild-install-5.3.3.tgz (Root Library)
text-buffer-13.18.6.tgz (Root Library)
fs-admin-0.12.0.tgz (Root Library)
fs-admin-0.19.0.tgz (Root Library)
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
Publish Date: Jan 26, 2022 12:00 AM
URL: CVE-2022-0355
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wpg7-2c88-r8xv
Release Date: Jan 26, 2022 12:00 AM
Fix Resolution : simple-get - 2.8.2,simple-get - 3.1.1,simple-get - 4.0.1
🔴CVE-2025-59343
Vulnerable Library - tar-fs-2.0.0.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
prebuild-install-5.3.3.tgz (Root Library)
fs-admin-0.12.0.tgz (Root Library)
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: Sep 24, 2025 05:43 PM
URL: CVE-2025-59343
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2025-59343
Release Date: Sep 24, 2025 05:43 PM
Fix Resolution : https://github.com/mafintosh/tar-fs.git - no_fix,tar-fs - 1.16.6,tar-fs - 2.1.4,tar-fs - 3.1.1
🟠CVE-2020-8244
Vulnerable Library - bl-3.0.0.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-3.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: Aug 30, 2020 01:43 PM
URL: CVE-2020-8244
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: Aug 30, 2020 01:43 PM
Fix Resolution : bl - 4.0.3,bl - 3.0.1,bl - 2.2.1,bl - 1.2.3