📂 Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-289561-266276 |
🟣 Critical |
9.8 |
N/A |
N/A |
inherits-2.0.4.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-7699 |
🔴 High |
8.7 |
Not Defined |
4.1% |
express-fileupload-0.4.0.tgz |
Direct |
express-fileupload - 1.1.9 |
✅ |
 Reachable |
| CVE-2022-24434 |
🔴 High |
7.7 |
Functional |
2.7% |
dicer-0.2.5.tgz |
Transitive |
N/A |
❌ |
Reachable |
| WS-2019-0314 |
🟠 Medium |
5.3 |
N/A |
N/A |
express-fileupload-0.4.0.tgz |
Direct |
express-fileupload - 1.1.6-alpha.6 |
✅ |
Reachable |
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/inherits/package.json
Dependency Hierarchy:
-
csurf-1.11.0.tgz (Root Library)
- http-errors-1.7.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
libxmljs-0.19.10.tgz (Root Library)
- node-pre-gyp-1.0.11.tgz
- npmlog-5.0.1.tgz
- are-we-there-yet-2.0.0.tgz
- readable-stream-3.6.2.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
bcrypt-1.0.3.tgz (Root Library)
- node-pre-gyp-0.6.36.tgz
- tar-pack-3.4.1.tgz
- readable-stream-2.3.8.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
express-fileupload-0.4.0.tgz (Root Library)
- busboy-0.2.14.tgz
- readable-stream-1.1.14.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
express-4.21.2.tgz (Root Library)
- send-0.19.0.tgz
- http-errors-2.0.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
winston-3.18.3.tgz (Root Library)
- winston-transport-4.9.0.tgz
- readable-stream-3.6.2.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2020-7699
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
- ❌ express-fileupload-0.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- dvna-0.0.1/server.js (Application)
-> ❌ express-fileupload-0.4.0/lib/index.js (Vulnerable Component)
Vulnerability Details
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
Publish Date: Jul 30, 2020 09:05 AM
URL: CVE-2020-7699
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wcg-jrwf-8gg7
Release Date: Jul 30, 2020 09:05 AM
Fix Resolution : express-fileupload - 1.1.9
🔴CVE-2022-24434
Vulnerable Library - dicer-0.2.5.tgz
A very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy:
- express-fileupload-0.4.0.tgz (Root Library)
- busboy-0.2.14.tgz
- ❌ dicer-0.2.5.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- dvna-0.0.1/server.js (Application)
- express-fileupload-0.4.0/lib/index.js (Extension)
- busboy-0.2.14/lib/main.js (Extension)
- busboy-0.2.14/lib/types/multipart.js (Extension)
- dicer-0.2.5/lib/Dicer.js (Extension)
-> ❌ dicer-0.2.5/lib/HeaderParser.js (Vulnerable Component)
Vulnerability Details
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: May 20, 2022 08:05 PM
URL: CVE-2022-24434
Threat Assessment
Exploit Maturity:Functional
EPSS:2.7%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-24434
Release Date: May 20, 2022 08:05 PM
Fix Resolution : no_fix
🟠WS-2019-0314
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
- ❌ express-fileupload-0.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- dvna-0.0.1/server.js (Application)
-> ❌ express-fileupload-0.4.0/lib/index.js (Vulnerable Component)
Vulnerability Details
In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.
Publish Date: Oct 18, 2019 11:07 AM
URL: WS-2019-0314
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1216
Release Date: Oct 18, 2019 11:07 AM
Fix Resolution : express-fileupload - 1.1.6-alpha.6
📂 Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Findings
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/inherits/package.json
Dependency Hierarchy:
csurf-1.11.0.tgz (Root Library)
libxmljs-0.19.10.tgz (Root Library)
bcrypt-1.0.3.tgz (Root Library)
express-fileupload-0.4.0.tgz (Root Library)
express-4.21.2.tgz (Root Library)
winston-3.18.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2020-7699
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
Publish Date: Jul 30, 2020 09:05 AM
URL: CVE-2020-7699
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wcg-jrwf-8gg7
Release Date: Jul 30, 2020 09:05 AM
Fix Resolution : express-fileupload - 1.1.9
🔴CVE-2022-24434
Vulnerable Library - dicer-0.2.5.tgz
A very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: May 20, 2022 08:05 PM
URL: CVE-2022-24434
Threat Assessment
Exploit Maturity:Functional
EPSS:2.7%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-24434
Release Date: May 20, 2022 08:05 PM
Fix Resolution : no_fix
🟠WS-2019-0314
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.
Publish Date: Oct 18, 2019 11:07 AM
URL: WS-2019-0314
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1216
Release Date: Oct 18, 2019 11:07 AM
Fix Resolution : express-fileupload - 1.1.6-alpha.6