📂 Vulnerable Library - request-ip-2.1.3.tgz
A small node.js module to retrieve the request's IP address
Path to dependency file: /api/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2020-26302 |
🔴 High |
7.5 |
Not Defined |
< 1% |
is_js-0.9.0.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
Details
🔴CVE-2020-26302
Vulnerable Library - is_js-0.9.0.tgz
micro check library
Library home page: https://registry.npmjs.org/is_js/-/is_js-0.9.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- request-ip-2.1.3.tgz (Root Library)
- ❌ is_js-0.9.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.
Publish Date: Dec 23, 2022 11:03 PM
URL: CVE-2020-26302
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26302
Release Date: Dec 23, 2022 11:03 PM
Fix Resolution : no_fix
📂 Vulnerable Library - request-ip-2.1.3.tgz
A small node.js module to retrieve the request's IP address
Path to dependency file: /api/package.json
Findings
Details
🔴CVE-2020-26302
Vulnerable Library - is_js-0.9.0.tgz
micro check library
Library home page: https://registry.npmjs.org/is_js/-/is_js-0.9.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.
Publish Date: Dec 23, 2022 11:03 PM
URL: CVE-2020-26302
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26302
Release Date: Dec 23, 2022 11:03 PM
Fix Resolution : no_fix