📂 Vulnerable Library - bunyan-1.8.14.tgz
a JSON logging library for node.js services
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2021-44906 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
minimist-0.0.8.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2022-24785 |
🔴 High |
8.7 |
Not Defined |
< 1% |
moment-2.29.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-31129 |
🔴 High |
8.7 |
Not Defined |
4.2% |
moment-2.29.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-3517 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Direct |
minimatch - 3.0.5 |
✅ |
 Reachable |
| CVE-2020-7598 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
minimist-0.0.8.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-5889 |
🟡 Low |
1.3 |
Proof of concept |
< 1% |
brace-expansion-1.1.8.tgz |
Transitive |
N/A |
❌ |
Reachable |
Details
🟣CVE-2021-44906
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🔴CVE-2022-24785
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- bunyan-1.8.14.tgz (Root Library)
- ❌ moment-2.29.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: Apr 04, 2022 12:00 AM
URL: CVE-2022-24785
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: Apr 04, 2022 12:00 AM
Fix Resolution : Moment.js - 2.29.2,moment - 2.29.2
🔴CVE-2022-31129
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- bunyan-1.8.14.tgz (Root Library)
- ❌ moment-2.29.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: Jul 06, 2022 12:00 AM
URL: CVE-2022-31129
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.2%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: Jul 06, 2022 12:00 AM
Fix Resolution : moment - 2.29.4,Moment.js - 2.29.4
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
bunyan-1.8.14.tgz (Root Library)
- mv-2.1.1.tgz
- rimraf-2.4.5.tgz
- glob-6.0.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
snyk-1.434.3.tgz (Root Library)
- snyk-mvn-plugin-2.25.0.tgz
- tmp-0.1.0.tgz
- rimraf-2.7.1.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/src/lib/config.js (Application)
-> ❌ minimatch-3.0.4/minimatch.js (Vulnerable Component)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🟠CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 0.2.1,minimist - 1.2.3
🟡CVE-2025-5889
Vulnerable Library - brace-expansion-1.1.8.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
bunyan-1.8.14.tgz (Root Library)
- mv-2.1.1.tgz
- rimraf-2.4.5.tgz
- glob-6.0.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.8.tgz (Vulnerable Library)
-
minimatch-3.0.4.tgz (Root Library)
- ❌ brace-expansion-1.1.8.tgz (Vulnerable Library)
-
snyk-1.434.3.tgz (Root Library)
- snyk-mvn-plugin-2.25.0.tgz
- glob-7.1.6.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.8.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/src/lib/config.js (Application)
- minimatch-3.0.4/minimatch.js (Extension)
-> ❌ brace-expansion-1.1.8/index.js (Vulnerable Component)
Vulnerability Details
A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 09, 2025 06:16 PM
URL: CVE-2025-5889
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 1.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6h2-p8h4-qcjw
Release Date: Jun 09, 2025 06:16 PM
Fix Resolution : brace-expansion - 4.0.1,https://github.com/juliangruber/brace-expansion.git - no_fix,brace-expansion - 3.0.1,brace-expansion - 2.0.2,brace-expansion - 1.1.12
📂 Vulnerable Library - bunyan-1.8.14.tgz
a JSON logging library for node.js services
Path to dependency file: /package.json
Findings
Details
🟣CVE-2021-44906
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
handlebars-4.6.0.tgz (Root Library)
bunyan-1.8.14.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🔴CVE-2022-24785
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: Apr 04, 2022 12:00 AM
URL: CVE-2022-24785
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: Apr 04, 2022 12:00 AM
Fix Resolution : Moment.js - 2.29.2,moment - 2.29.2
🔴CVE-2022-31129
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: Jul 06, 2022 12:00 AM
URL: CVE-2022-31129
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.2%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: Jul 06, 2022 12:00 AM
Fix Resolution : moment - 2.29.4,Moment.js - 2.29.4
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
bunyan-1.8.14.tgz (Root Library)
❌ minimatch-3.0.4.tgz (Vulnerable Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🟠CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
handlebars-4.6.0.tgz (Root Library)
bunyan-1.8.14.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 0.2.1,minimist - 1.2.3
🟡CVE-2025-5889
Vulnerable Library - brace-expansion-1.1.8.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
bunyan-1.8.14.tgz (Root Library)
minimatch-3.0.4.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 09, 2025 06:16 PM
URL: CVE-2025-5889
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 1.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6h2-p8h4-qcjw
Release Date: Jun 09, 2025 06:16 PM
Fix Resolution : brace-expansion - 4.0.1,https://github.com/juliangruber/brace-expansion.git - no_fix,brace-expansion - 3.0.1,brace-expansion - 2.0.2,brace-expansion - 1.1.12