📂 Vulnerable Library - cypress-3.1.2.tgz
Cypress client library for visual testing with Percy
Path to dependency file: /tests/e2e/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-121740-819191 |
🟣 Critical |
9.8 |
N/A |
N/A |
lodash-4.17.21.tgz |
Direct |
N/A |
❌ |
|
| CVE-295712-399081 |
🟣 Critical |
9.8 |
N/A |
N/A |
asn1-0.2.6.tgz |
Transitive |
N/A |
❌ |
|
| CVE-72435-185255 |
🟣 Critical |
9.8 |
N/A |
N/A |
tweetnacl-0.14.5.tgz |
Transitive |
N/A |
❌ |
|
| CVE-814504-1548 |
🟣 Critical |
9.8 |
N/A |
N/A |
isstream-0.1.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-893166-217151 |
🟣 Critical |
9.8 |
N/A |
N/A |
form-data-2.3.3.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2025-7783 |
🟣 Critical |
9.4 |
Not Defined |
< 1% |
form-data-2.3.3.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2025-54798 |
🟡 Low |
2.0 |
Not Defined |
< 1% |
tmp-0.2.1.tgz |
Transitive |
N/A |
❌ |
|
Details
🟣CVE-121740-819191
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
admin-extension-sdk-3.0.15.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
e2e-testsuite-platform-7.0.5.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
webpack-bundle-analyzer-3.9.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
lighthouse-9.6.8.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
test-utils-1.3.6.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
webpack-dev-server-3.11.3.tgz (Root Library)
- http-proxy-middleware-0.19.1.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cli-0.9.0.tgz (Root Library)
- inquirer-6.5.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
admin-extension-sdk-3.0.13.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- yargs-unparser-1.6.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cypress-multi-reporters-1.6.2.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
webpack-merge-4.2.2.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- webpack-merge-4.2.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cli-0.11.0.tgz (Root Library)
- inquirer-6.5.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
- last-call-webpack-plugin-3.0.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-121740-819191
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-295712-399081
Vulnerable Library - asn1-0.2.6.tgz
Contains parsers and serializers for ASN.1 (currently BER only)
Library home page: https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- request-2.88.12.tgz
- http-signature-1.3.6.tgz
- sshpk-1.17.0.tgz
- ❌ asn1-0.2.6.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-295712-399081
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- request-2.88.12.tgz
- http-signature-1.3.6.tgz
- sshpk-1.17.0.tgz
- ❌ tweetnacl-0.14.5.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-814504-1548
Vulnerable Library - isstream-0.1.2.tgz
Determine if an object is a Stream
Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- request-2.88.12.tgz
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-814504-1548
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-893166-217151
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- request-2.88.12.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-893166-217151
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- request-2.88.12.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟡CVE-2025-54798
Vulnerable Library - tmp-0.2.1.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.1.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- cypress-3.1.2.tgz (Root Library)
- cypress-12.17.4.tgz
- ❌ tmp-0.2.1.tgz (Vulnerable Library)
Vulnerability Details
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
Publish Date: Aug 07, 2025 12:04 AM
URL: CVE-2025-54798
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.0
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2025-54798
Release Date: Aug 07, 2025 12:04 AM
Fix Resolution : https://github.com/raszi/node-tmp.git - no_fix
📂 Vulnerable Library - cypress-3.1.2.tgz
Cypress client library for visual testing with Percy
Path to dependency file: /tests/e2e/package.json
Findings
Details
🟣CVE-121740-819191
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
admin-extension-sdk-3.0.15.tgz (Root Library)
e2e-testsuite-platform-7.0.5.tgz (Root Library)
webpack-bundle-analyzer-3.9.0.tgz (Root Library)
lighthouse-9.6.8.tgz (Root Library)
test-utils-1.3.6.tgz (Root Library)
❌ lodash-4.17.21.tgz (Vulnerable Library)
cypress-3.1.2.tgz (Root Library)
webpack-dev-server-3.11.3.tgz (Root Library)
cli-0.9.0.tgz (Root Library)
admin-extension-sdk-3.0.13.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
cypress-multi-reporters-1.6.2.tgz (Root Library)
webpack-merge-4.2.2.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
cli-0.11.0.tgz (Root Library)
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-121740-819191
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-295712-399081
Vulnerable Library - asn1-0.2.6.tgz
Contains parsers and serializers for ASN.1 (currently BER only)
Library home page: https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-295712-399081
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-814504-1548
Vulnerable Library - isstream-0.1.2.tgz
Determine if an object is a Stream
Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-814504-1548
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-893166-217151
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-893166-217151
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟡CVE-2025-54798
Vulnerable Library - tmp-0.2.1.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.1.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Vulnerability Details
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
Publish Date: Aug 07, 2025 12:04 AM
URL: CVE-2025-54798
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.0
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2025-54798
Release Date: Aug 07, 2025 12:04 AM
Fix Resolution : https://github.com/raszi/node-tmp.git - no_fix