📂 Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-275296-826791 |
🟣 Critical |
9.8 |
N/A |
N/A |
qs-6.5.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-72435-185255 |
🟣 Critical |
9.8 |
N/A |
N/A |
tweetnacl-0.14.5.tgz |
Transitive |
N/A |
❌ |
|
| CVE-814504-1548 |
🟣 Critical |
9.8 |
N/A |
N/A |
isstream-0.1.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-893166-217151 |
🟣 Critical |
9.8 |
N/A |
N/A |
form-data-2.3.3.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2025-7783 |
🟣 Critical |
9.4 |
Not Defined |
< 1% |
form-data-2.3.3.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-3918 |
🟣 Critical |
9.3 |
Not Defined |
1.2% |
json-schema-0.2.3.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-24999 |
🔴 High |
8.7 |
Not Defined |
3.1% |
qs-6.5.2.tgz |
Transitive |
N/A |
❌ |
Reachable |
| WS-2018-0084 |
🔴 High |
8.0 |
N/A |
N/A |
sshpk-1.13.1.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2023-28155 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
request-2.88.2.tgz |
Direct |
@cypress/request - 3.0.0 |
✅ |
Reachable |
Details
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-814504-1548
Vulnerable Library - isstream-0.1.2.tgz
Determine if an object is a Stream
Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- ❌ isstream-0.1.2.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-814504-1548
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-893166-217151
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/test/unit/toplevel.js (Application)
- request-2.88.2/index.js (Extension)
- request-2.88.2/request.js (Extension)
- form-data-2.3.3/lib/form_data.js (Extension)
-> ❌ form-data-2.3.3/lib/populate.js (Vulnerable Component)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-893166-217151
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/test/unit/toplevel.js (Application)
- request-2.88.2/index.js (Extension)
- request-2.88.2/request.js (Extension)
-> ❌ form-data-2.3.3/lib/form_data.js (Vulnerable Component)
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- http-signature-1.2.0.tgz
- jsprim-1.4.0.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/test/unit/toplevel.js (Application)
- request-2.88.2/index.js (Extension)
- request-2.88.2/request.js (Extension)
- http-signature-1.2.0/lib/index.js (Extension)
- http-signature-1.2.0/lib/signer.js (Extension)
- jsprim-1.4.0/lib/jsprim.js (Extension)
-> ❌ json-schema-0.2.3/lib/validate.js (Vulnerable Component)
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: Nov 13, 2021 12:00 AM
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-896r-f27r-55mw
Release Date: Nov 13, 2021 12:00 AM
Fix Resolution : json-schema - 0.4.0
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/test/unit/toplevel.js (Application)
- request-2.88.2/index.js (Extension)
- request-2.88.2/request.js (Extension)
- request-2.88.2/lib/querystring.js (Extension)
-> ❌ qs-6.5.2/lib/index.js (Vulnerable Component)
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hrpp-h998-j3pp
Release Date: Nov 26, 2022 12:00 AM
Fix Resolution : qs - 6.8.3,qs - 6.9.7,qs - 6.5.3,qs - 6.7.3,qs - 6.4.1,qs - 6.3.3,qs - 6.2.4,qs - 6.10.3,qs - 6.6.1
🔴WS-2018-0084
Vulnerable Library - sshpk-1.13.1.tgz
A library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
- http-signature-1.2.0.tgz
- ❌ sshpk-1.13.1.tgz (Vulnerable Library)
Vulnerability Details
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: Apr 25, 2018 12:00 PM
URL: WS-2018-0084
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 8.0
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ request-2.88.2.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/test/unit/toplevel.js (Application)
- request-2.88.2/index.js (Extension)
- request-2.88.2/request.js (Extension)
-> ❌ request-2.88.2/lib/redirect.js (Vulnerable Component)
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 16, 2023 12:00 AM
URL: CVE-2023-28155
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: Mar 16, 2023 12:00 AM
Fix Resolution : @cypress/request - 3.0.0
📂 Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Path to dependency file: /package.json
Findings
Details
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
request-2.88.2.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-814504-1548
Vulnerable Library - isstream-0.1.2.tgz
Determine if an object is a Stream
Library home page: https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-814504-1548
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-893166-217151
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-893166-217151
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: Nov 13, 2021 12:00 AM
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-896r-f27r-55mw
Release Date: Nov 13, 2021 12:00 AM
Fix Resolution : json-schema - 0.4.0
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hrpp-h998-j3pp
Release Date: Nov 26, 2022 12:00 AM
Fix Resolution : qs - 6.8.3,qs - 6.9.7,qs - 6.5.3,qs - 6.7.3,qs - 6.4.1,qs - 6.3.3,qs - 6.2.4,qs - 6.10.3,qs - 6.6.1
🔴WS-2018-0084
Vulnerable Library - sshpk-1.13.1.tgz
A library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: Apr 25, 2018 12:00 PM
URL: WS-2018-0084
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 8.0
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 16, 2023 12:00 AM
URL: CVE-2023-28155
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: Mar 16, 2023 12:00 AM
Fix Resolution : @cypress/request - 3.0.0