📂 Vulnerable Library - terser-webpack-plugin-4.2.3.tgz
Terser plugin for webpack
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2026-23950 |
🔴 High |
8.8 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2021-37701 |
🔴 High |
8.2 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-37712 |
🔴 High |
8.2 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-37713 |
🔴 High |
8.2 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-24842 |
🔴 High |
8.2 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-23745 |
🔴 High |
7.1 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-26960 |
🔴 High |
7.1 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-29786 |
🔴 High |
7.1 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-31802 |
🔴 High |
7.1 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2024-28863 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
tar-6.1.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2024-43788 |
🟠 Medium |
6.4 |
Not Defined |
1.8% |
webpack-4.46.0.tgz |
Direct |
webpack - 5.94.0 |
✅ |
Unreachable |
| CVE-2026-34043 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
serialize-javascript-5.0.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2024-11831 |
🟠 Medium |
5.4 |
Not Defined |
1.1% |
serialize-javascript-5.0.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-25858 |
🟠 Medium |
5.3 |
Not Defined |
3.6% |
terser-5.6.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-25883 |
🟠 Medium |
5.3 |
Proof of concept |
< 1% |
semver-6.3.0.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2025-69873 |
🟡 Low |
2.9 |
Not Defined |
< 1% |
ajv-6.12.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🔴CVE-2026-23950
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: Jan 20, 2026 12:40 AM
URL: CVE-2026-23950
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: Jan 20, 2026 12:40 AM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4
🔴CVE-2021-37701
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both "" and "/" characters as path separators, however "" is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at "FOO", followed by a symbolic link named "foo", then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the "FOO" directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 31, 2021 12:00 AM
URL: CVE-2021-37701
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-9r2w-394v-53qc
Release Date: Aug 31, 2021 12:00 AM
Fix Resolution : tar - 4.4.16,5.0.8,6.1.7
🔴CVE-2021-37712
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.
Publish Date: Aug 31, 2021 12:00 AM
URL: CVE-2021-37712
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-37713
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain ".." path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as "C:some\path". If the drive letter does not match the extraction target, for example "D:\extraction\dir", then the result of "path.resolve(extractionDirectory, entryPath)" would resolve against the current working directory on the "C:" drive, rather than the extraction target directory. Additionally, a ".." portion of the path could occur immediately after the drive letter, such as "C:../foo", and was not properly sanitized by the logic that checked for ".." within the normalized and split portions of the path. This only affects users of "node-tar" on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 31, 2021 04:50 PM
URL: CVE-2021-37713
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-5955-9wpr-37jh
Release Date: Aug 31, 2021 04:50 PM
Fix Resolution : tar - 4.4.18,5.0.10,6.1.9
🔴CVE-2026-24842
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: Jan 28, 2026 12:20 AM
URL: CVE-2026-24842
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@f4a7aa9
Release Date: Jan 28, 2026 12:20 AM
Fix Resolution : tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7
🔴CVE-2026-23745
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: Jan 16, 2026 10:00 PM
URL: CVE-2026-23745
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@340eb28
Release Date: Jan 16, 2026 10:00 PM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.3
🔴CVE-2026-26960
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: Feb 20, 2026 01:07 AM
URL: CVE-2026-26960
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@d18e4e1
Release Date: Feb 18, 2026 02:28 AM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
🔴CVE-2026-29786
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: Mar 07, 2026 03:32 PM
URL: CVE-2026-29786
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@7bc755d
Release Date: Mar 07, 2026 03:32 PM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.10
🔴CVE-2026-31802
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: Mar 09, 2026 09:11 PM
URL: CVE-2026-31802
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@f48b5fa
Release Date: Mar 09, 2026 09:11 PM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.11
🟠CVE-2024-28863
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: Mar 21, 2024 10:10 PM
URL: CVE-2024-28863
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-43788
Vulnerable Library - webpack-4.46.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-4.46.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
❌ webpack-4.46.0.tgz (Vulnerable Library)
-
worker-loader-3.0.4.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
webpack-dev-server-3.11.3.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
copy-webpack-plugin-6.4.1.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
terser-webpack-plugin-4.2.3.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
ts-loader-8.4.0.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: Aug 27, 2024 05:07 PM
URL: CVE-2024-43788
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.8%
Score: 6.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: Aug 27, 2024 05:07 PM
Fix Resolution : webpack - 5.94.0
🟠CVE-2026-34043
Vulnerable Library - serialize-javascript-5.0.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-5.0.1.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Publish Date: Mar 31, 2026 01:48 AM
URL: CVE-2026-34043
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: yahoo/serialize-javascript@f147e90
Release Date: Mar 28, 2026 09:06 AM
Fix Resolution : https://github.com/yahoo/serialize-javascript.git - v7.0.5
🟠CVE-2024-11831
Vulnerable Library - serialize-javascript-5.0.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-5.0.1.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: Feb 10, 2025 03:27 PM
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 5.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: Feb 10, 2025 03:27 PM
Fix Resolution : serialize-javascript - 6.0.2
🟠CVE-2022-25858
Vulnerable Library - terser-5.6.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.6.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- terser-webpack-plugin-4.2.3.tgz (Root Library)
- ❌ terser-5.6.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: Jul 15, 2022 08:00 PM
URL: CVE-2022-25858
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.6%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: Jul 15, 2022 08:00 PM
Fix Resolution : terser - 4.8.1,5.14.2
🟠CVE-2022-25883
Vulnerable Library - semver-6.3.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/build/nuxt-component-library/package.json
Dependency Hierarchy:
-
webpack-dev-server-3.11.3.tgz (Root Library)
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
e2e-testsuite-platform-7.0.5.tgz (Root Library)
- preset-env-7.14.9.tgz
- babel-plugin-polyfill-corejs2-0.2.3.tgz
- helper-define-polyfill-provider-0.2.4.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
copy-webpack-plugin-6.4.1.tgz (Root Library)
- find-cache-dir-3.3.1.tgz
- make-dir-3.1.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- istanbul-lib-instrument-5.2.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
eslint-config-base-2.0.0.tgz (Root Library)
- eslint-config-airbnb-base-15.0.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
sass-loader-8.0.2.tgz (Root Library)
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
core-7.20.12.tgz (Root Library)
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
cli-0.9.0.tgz (Root Library)
- update-notifier-3.0.1.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
ts-jest-29.0.3.tgz (Root Library)
- jest-29.5.0.tgz
- core-29.5.0.tgz
- reporters-29.5.0.tgz
- istanbul-lib-report-3.0.0.tgz
- make-dir-3.1.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
terser-webpack-plugin-4.2.3.tgz (Root Library)
- find-cache-dir-3.3.1.tgz
- make-dir-3.1.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- preset-env-7.20.2.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
preset-typescript-7.21.0.tgz (Root Library)
- core-7.21.3.tgz
- helper-compilation-targets-7.21.4.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
lighthouse-9.2.0.tgz (Root Library)
- configstore-5.0.1.tgz
- make-dir-3.1.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
-
lighthouse-9.6.8.tgz (Root Library)
- configstore-5.0.1.tgz
- make-dir-3.1.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- copy-webpack-plugin-6.4.1/dist/cjs.js (Extension)
- copy-webpack-plugin-6.4.1/dist/index.js (Extension)
- find-cache-dir-3.3.1/index.js (Extension)
- make-dir-3.1.0/index.js (Extension)
-> ❌ semver-6.3.0/semver.js (Vulnerable Component)
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 21, 2023 05:00 AM
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: Jun 21, 2023 05:00 AM
Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
🟡CVE-2025-69873
Vulnerable Library - ajv-6.12.5.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.5.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- schema-utils-1.0.0.tgz
- ❌ ajv-6.12.5.tgz (Vulnerable Library)
-
worker-loader-3.0.4.tgz (Root Library)
- schema-utils-3.3.0.tgz
- ❌ ajv-6.12.5.tgz (Vulnerable Library)
-
copy-webpack-plugin-6.4.1.tgz (Root Library)
- schema-utils-3.0.0.tgz
- ❌ ajv-6.12.5.tgz (Vulnerable Library)
-
terser-webpack-plugin-4.2.3.tgz (Root Library)
- schema-utils-3.0.0.tgz
- ❌ ajv-6.12.5.tgz (Vulnerable Library)
-
eslint-config-base-2.0.0.tgz (Root Library)
- eslint-8.36.0.tgz
- ❌ ajv-6.12.5.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- schema-utils-2.7.0.tgz
- ❌ ajv-6.12.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
Publish Date: Feb 11, 2026 12:00 AM
URL: CVE-2025-69873
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4f-4pwh-qvx6
Release Date: Feb 11, 2026 12:00 AM
Fix Resolution : https://github.com/ajv-validator/ajv.git - v8.18.0,https://github.com/ajv-validator/ajv.git - v6.14.0
📂 Vulnerable Library - terser-webpack-plugin-4.2.3.tgz
Terser plugin for webpack
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
Details
🔴CVE-2026-23950
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: Jan 20, 2026 12:40 AM
URL: CVE-2026-23950
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: Jan 20, 2026 12:40 AM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4
🔴CVE-2021-37701
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both "" and "/" characters as path separators, however "" is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at "FOO", followed by a symbolic link named "foo", then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the "FOO" directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 31, 2021 12:00 AM
URL: CVE-2021-37701
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-9r2w-394v-53qc
Release Date: Aug 31, 2021 12:00 AM
Fix Resolution : tar - 4.4.16,5.0.8,6.1.7
🔴CVE-2021-37712
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.
Publish Date: Aug 31, 2021 12:00 AM
URL: CVE-2021-37712
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-37713
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain ".." path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as "C:some\path". If the drive letter does not match the extraction target, for example "D:\extraction\dir", then the result of "path.resolve(extractionDirectory, entryPath)" would resolve against the current working directory on the "C:" drive, rather than the extraction target directory. Additionally, a ".." portion of the path could occur immediately after the drive letter, such as "C:../foo", and was not properly sanitized by the logic that checked for ".." within the normalized and split portions of the path. This only affects users of "node-tar" on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 31, 2021 04:50 PM
URL: CVE-2021-37713
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-5955-9wpr-37jh
Release Date: Aug 31, 2021 04:50 PM
Fix Resolution : tar - 4.4.18,5.0.10,6.1.9
🔴CVE-2026-24842
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: Jan 28, 2026 12:20 AM
URL: CVE-2026-24842
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@f4a7aa9
Release Date: Jan 28, 2026 12:20 AM
Fix Resolution : tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7
🔴CVE-2026-23745
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: Jan 16, 2026 10:00 PM
URL: CVE-2026-23745
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@340eb28
Release Date: Jan 16, 2026 10:00 PM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.3
🔴CVE-2026-26960
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: Feb 20, 2026 01:07 AM
URL: CVE-2026-26960
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@d18e4e1
Release Date: Feb 18, 2026 02:28 AM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
🔴CVE-2026-29786
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: Mar 07, 2026 03:32 PM
URL: CVE-2026-29786
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@7bc755d
Release Date: Mar 07, 2026 03:32 PM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.10
🔴CVE-2026-31802
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: Mar 09, 2026 09:11 PM
URL: CVE-2026-31802
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: isaacs/node-tar@f48b5fa
Release Date: Mar 09, 2026 09:11 PM
Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.11
🟠CVE-2024-28863
Vulnerable Library - tar-6.1.6.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.6.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: Mar 21, 2024 10:10 PM
URL: CVE-2024-28863
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-43788
Vulnerable Library - webpack-4.46.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-4.46.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
❌ webpack-4.46.0.tgz (Vulnerable Library)
worker-loader-3.0.4.tgz (Root Library)
webpack-dev-server-3.11.3.tgz (Root Library)
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
ts-loader-8.4.0.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: Aug 27, 2024 05:07 PM
URL: CVE-2024-43788
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.8%
Score: 6.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: Aug 27, 2024 05:07 PM
Fix Resolution : webpack - 5.94.0
🟠CVE-2026-34043
Vulnerable Library - serialize-javascript-5.0.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-5.0.1.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Publish Date: Mar 31, 2026 01:48 AM
URL: CVE-2026-34043
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: yahoo/serialize-javascript@f147e90
Release Date: Mar 28, 2026 09:06 AM
Fix Resolution : https://github.com/yahoo/serialize-javascript.git - v7.0.5
🟠CVE-2024-11831
Vulnerable Library - serialize-javascript-5.0.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-5.0.1.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: Feb 10, 2025 03:27 PM
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 5.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: Feb 10, 2025 03:27 PM
Fix Resolution : serialize-javascript - 6.0.2
🟠CVE-2022-25858
Vulnerable Library - terser-5.6.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.6.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: Jul 15, 2022 08:00 PM
URL: CVE-2022-25858
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.6%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: Jul 15, 2022 08:00 PM
Fix Resolution : terser - 4.8.1,5.14.2
🟠CVE-2022-25883
Vulnerable Library - semver-6.3.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/build/nuxt-component-library/package.json
Dependency Hierarchy:
webpack-dev-server-3.11.3.tgz (Root Library)
e2e-testsuite-platform-7.0.5.tgz (Root Library)
copy-webpack-plugin-6.4.1.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
eslint-config-base-2.0.0.tgz (Root Library)
sass-loader-8.0.2.tgz (Root Library)
core-7.20.12.tgz (Root Library)
cli-0.9.0.tgz (Root Library)
ts-jest-29.0.3.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
preset-typescript-7.21.0.tgz (Root Library)
lighthouse-9.2.0.tgz (Root Library)
lighthouse-9.6.8.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 21, 2023 05:00 AM
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: Jun 21, 2023 05:00 AM
Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
🟡CVE-2025-69873
Vulnerable Library - ajv-6.12.5.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.5.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
worker-loader-3.0.4.tgz (Root Library)
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
eslint-config-base-2.0.0.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$ ") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
Publish Date: Feb 11, 2026 12:00 AM
URL: CVE-2025-69873
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4f-4pwh-qvx6
Release Date: Feb 11, 2026 12:00 AM
Fix Resolution : https://github.com/ajv-validator/ajv.git - v8.18.0,https://github.com/ajv-validator/ajv.git - v6.14.0