📂 Vulnerable Library - request-2.87.0.tgz
Simplified HTTP request client.
Path to dependency file: /script/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-72435-185255 |
🟣 Critical |
9.8 |
N/A |
N/A |
tweetnacl-0.14.5.tgz |
Transitive |
N/A |
❌ |
|
| CVE-814504-1548 |
🟣 Critical |
9.8 |
N/A |
N/A |
isstream-0.1.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2025-7783 |
🟣 Critical |
9.4 |
Not Defined |
< 1% |
form-data-2.3.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2021-3918 |
🟣 Critical |
9.3 |
Not Defined |
1.2% |
json-schema-0.2.3.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-15366 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
ajv-5.5.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2023-28155 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
request-2.87.0.tgz |
Direct |
@cypress/request - 3.0.0 |
✅ |
|
Details
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /apm/package.json
Dependency Hierarchy:
-
request-2.87.0.tgz (Root Library)
- http-signature-1.2.0.tgz
- sshpk-1.14.2.tgz
- ❌ tweetnacl-0.14.5.tgz (Vulnerable Library)
-
atom-package-manager-2.6.5.tgz (Root Library)
- npm-6.14.17.tgz
- request-2.88.0.tgz
- http-signature-1.2.0.tgz
- sshpk-1.14.2.tgz
- ❌ tweetnacl-0.14.5.tgz (Vulnerable Library)
-
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
- request-2.88.0.tgz
- http-signature-1.2.0.tgz
- sshpk-1.16.1.tgz
- bcrypt-pbkdf-1.0.2.tgz
- ❌ tweetnacl-0.14.5.tgz (Vulnerable Library)
-
webdriverio-5.9.2.tgz (Root Library)
- webdriver-5.9.1.tgz
- request-2.87.0.tgz
- http-signature-1.2.0.tgz
- sshpk-1.14.2.tgz
- bcrypt-pbkdf-1.0.2.tgz
- ❌ tweetnacl-0.14.5.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-814504-1548
Vulnerable Library - isstream-0.1.2.tgz
Determine if an object is a Stream
Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
request-2.87.0.tgz (Root Library)
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
-
atom-package-manager-2.6.5.tgz (Root Library)
- npm-6.14.17.tgz
- request-2.88.0.tgz
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
-
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
- request-2.88.0.tgz
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
-
less-cache-1.1.0.tgz (Root Library)
- less-2.7.3.tgz
- request-2.81.0.tgz
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
-
webdriverio-5.9.2.tgz (Root Library)
- webdriver-5.9.1.tgz
- request-2.87.0.tgz
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-814504-1548
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-7783
Vulnerable Library - form-data-2.3.2.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.2.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
request-2.87.0.tgz (Root Library)
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
-
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
- request-2.88.0.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
-
webdriverio-5.9.2.tgz (Root Library)
- webdriver-5.9.1.tgz
- request-2.87.0.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: Nov 13, 2021 12:00 AM
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-896r-f27r-55mw
Release Date: Nov 13, 2021 12:00 AM
Fix Resolution : json-schema - 0.4.0
🟠CVE-2020-15366
Vulnerable Library - ajv-5.5.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: Jul 15, 2020 07:14 PM
URL: CVE-2020-15366
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v88g-cgmw-v5xw
Release Date: Jul 15, 2020 07:14 PM
Fix Resolution : ajv - 6.12.3
🟠CVE-2023-28155
Vulnerable Library - request-2.87.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.87.0.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
❌ request-2.87.0.tgz (Vulnerable Library)
-
publish-release-1.6.0.tgz (Root Library)
- ❌ request-2.87.0.tgz (Vulnerable Library)
-
electron-chromedriver-5.0.1.tgz (Root Library)
- electron-download-4.1.1.tgz
- nugget-2.0.1.tgz
- ❌ request-2.87.0.tgz (Vulnerable Library)
-
webdriverio-5.9.2.tgz (Root Library)
- webdriver-5.9.1.tgz
- ❌ request-2.87.0.tgz (Vulnerable Library)
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 16, 2023 12:00 AM
URL: CVE-2023-28155
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: Mar 16, 2023 12:00 AM
Fix Resolution : @cypress/request - 3.0.0
📂 Vulnerable Library - request-2.87.0.tgz
Simplified HTTP request client.
Path to dependency file: /script/package.json
Findings
Details
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /apm/package.json
Dependency Hierarchy:
request-2.87.0.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
webdriverio-5.9.2.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-814504-1548
Vulnerable Library - isstream-0.1.2.tgz
Determine if an object is a Stream
Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
request-2.87.0.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
less-cache-1.1.0.tgz (Root Library)
webdriverio-5.9.2.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-814504-1548
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-7783
Vulnerable Library - form-data-2.3.2.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.2.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
request-2.87.0.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
request-2.87.0.tgz (Root Library)
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
webdriverio-5.9.2.tgz (Root Library)
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: Nov 13, 2021 12:00 AM
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-896r-f27r-55mw
Release Date: Nov 13, 2021 12:00 AM
Fix Resolution : json-schema - 0.4.0
🟠CVE-2020-15366
Vulnerable Library - ajv-5.5.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
request-2.87.0.tgz (Root Library)
webdriverio-5.9.2.tgz (Root Library)
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: Jul 15, 2020 07:14 PM
URL: CVE-2020-15366
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v88g-cgmw-v5xw
Release Date: Jul 15, 2020 07:14 PM
Fix Resolution : ajv - 6.12.3
🟠CVE-2023-28155
Vulnerable Library - request-2.87.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.87.0.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
❌ request-2.87.0.tgz (Vulnerable Library)
publish-release-1.6.0.tgz (Root Library)
electron-chromedriver-5.0.1.tgz (Root Library)
webdriverio-5.9.2.tgz (Root Library)
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 16, 2023 12:00 AM
URL: CVE-2023-28155
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: Mar 16, 2023 12:00 AM
Fix Resolution : @cypress/request - 3.0.0