📂 Vulnerable Library - mochawesome-4.1.0.tgz
A gorgeous reporter for Mocha.js
Path to dependency file: /tests/e2e/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2025-12758 |
🔴 High |
7.5 |
Not Defined |
< 1% |
validator-10.11.0.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| WS-2021-0638 |
🔴 High |
7.5 |
N/A |
N/A |
mocha-7.2.0.tgz |
Direct |
mocha - 10.1.0 |
✅ |
 Unreachable |
| CVE-2025-56200 |
🟠 Medium |
6.1 |
Not Defined |
< 1% |
validator-10.11.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-3765 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
validator-10.11.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2026-24001 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
diff-4.0.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🔴CVE-2025-12758
Vulnerable Library - validator-10.11.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-10.11.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- mochawesome-4.1.0.tgz (Root Library)
- mochawesome-report-generator-4.1.0.tgz
- ❌ validator-10.11.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- shopware-e2e-1.0.0/package.json (Application)
- mochawesome-report-generator-4.1.0/bin/cli.js (Extension)
- mochawesome-report-generator-4.1.0/bin/cli-main.js (Extension)
- mochawesome-report-generator-4.1.0/bin/types.js (Extension)
- validator-10.11.0/index.js (Extension)
-> ❌ validator-10.11.0/lib/isBase64.js (Vulnerable Component)
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22,validator - 13.15.22
🔴WS-2021-0638
Vulnerable Library - mocha-7.2.0.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-7.2.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
❌ mocha-7.2.0.tgz (Vulnerable Library)
-
cypress-multi-reporters-1.6.2.tgz (Root Library)
- ❌ mocha-7.2.0.tgz (Vulnerable Library)
-
mochawesome-4.1.0.tgz (Root Library)
- ❌ mocha-7.2.0.tgz (Vulnerable Library)
-
mocha-junit-reporter-1.23.3.tgz (Root Library)
- ❌ mocha-7.2.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: Sep 18, 2021 12:00 AM
URL: WS-2021-0638
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: mochajs/mocha@61b4b92
Release Date: Sep 18, 2021 12:00 AM
Fix Resolution : mocha - 10.1.0
🟠CVE-2025-56200
Vulnerable Library - validator-10.11.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-10.11.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- mochawesome-4.1.0.tgz (Root Library)
- mochawesome-report-generator-4.1.0.tgz
- ❌ validator-10.11.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- shopware-e2e-1.0.0/package.json (Application)
- mochawesome-report-generator-4.1.0/bin/cli.js (Extension)
- mochawesome-report-generator-4.1.0/bin/cli-main.js (Extension)
- mochawesome-report-generator-4.1.0/bin/types.js (Extension)
- validator-10.11.0/index.js (Extension)
-> ❌ validator-10.11.0/lib/normalizeEmail.js (Vulnerable Component)
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: Sep 30, 2025 12:00 AM
URL: CVE-2025-56200
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2021-3765
Vulnerable Library - validator-10.11.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-10.11.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
- mochawesome-4.1.0.tgz (Root Library)
- mochawesome-report-generator-4.1.0.tgz
- ❌ validator-10.11.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- shopware-e2e-1.0.0/package.json (Application)
- mochawesome-report-generator-4.1.0/bin/cli.js (Extension)
- mochawesome-report-generator-4.1.0/bin/cli-main.js (Extension)
- mochawesome-report-generator-4.1.0/bin/types.js (Extension)
- validator-10.11.0/index.js (Extension)
-> ❌ validator-10.11.0/lib/rtrim.js (Vulnerable Component)
Vulnerability Details
validator.js is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Nov 02, 2021 07:05 AM
URL: CVE-2021-3765
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-qgmg-gppg-76g5
Release Date: Nov 02, 2021 07:05 AM
Fix Resolution : validator - 13.7.0
🟠CVE-2026-24001
Vulnerable Library - diff-4.0.2.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-4.0.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters "\r", "\u2028", or "\u2029" can cause the "parsePatch" method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call "parsePatch" with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling "parsePatch" on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The "applyPatch" method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using "parsePatch". Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take "parsePatch" O(n³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: "\r", "\u2028", or "\u2029".
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 22, 2026 02:23 AM
URL: CVE-2026-24001
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@15a1585
Release Date: Jan 22, 2026 02:23 AM
Fix Resolution : https://github.com/kpdecker/jsdiff.git - v4.0.4,https://github.com/kpdecker/jsdiff.git - v5.2.2,https://github.com/kpdecker/jsdiff.git - v8.0.3
📂 Vulnerable Library - mochawesome-4.1.0.tgz
A gorgeous reporter for Mocha.js
Path to dependency file: /tests/e2e/package.json
Findings
Details
🔴CVE-2025-12758
Vulnerable Library - validator-10.11.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-10.11.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22,validator - 13.15.22
🔴WS-2021-0638
Vulnerable Library - mocha-7.2.0.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-7.2.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
❌ mocha-7.2.0.tgz (Vulnerable Library)
cypress-multi-reporters-1.6.2.tgz (Root Library)
mochawesome-4.1.0.tgz (Root Library)
mocha-junit-reporter-1.23.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: Sep 18, 2021 12:00 AM
URL: WS-2021-0638
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: mochajs/mocha@61b4b92
Release Date: Sep 18, 2021 12:00 AM
Fix Resolution : mocha - 10.1.0
🟠CVE-2025-56200
Vulnerable Library - validator-10.11.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-10.11.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: Sep 30, 2025 12:00 AM
URL: CVE-2025-56200
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2021-3765
Vulnerable Library - validator-10.11.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-10.11.0.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
validator.js is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Nov 02, 2021 07:05 AM
URL: CVE-2021-3765
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-qgmg-gppg-76g5
Release Date: Nov 02, 2021 07:05 AM
Fix Resolution : validator - 13.7.0
🟠CVE-2026-24001
Vulnerable Library - diff-4.0.2.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-4.0.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
ts-jest-29.0.3.tgz (Root Library)
mochawesome-4.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters "\r", "\u2028", or "\u2029" can cause the "parsePatch" method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call "parsePatch" with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling "parsePatch" on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The "applyPatch" method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using "parsePatch". Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take "parsePatch" O(n³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: "\r", "\u2028", or "\u2029".
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 22, 2026 02:23 AM
URL: CVE-2026-24001
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@15a1585
Release Date: Jan 22, 2026 02:23 AM
Fix Resolution : https://github.com/kpdecker/jsdiff.git - v4.0.4,https://github.com/kpdecker/jsdiff.git - v5.2.2,https://github.com/kpdecker/jsdiff.git - v8.0.3