📂 Vulnerable Library - react-router-dom-4.3.1.tgz
DOM bindings for React Router
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2024-45296 |
🔴 High |
7.5 |
Not Defined |
< 1% |
path-to-regexp-1.7.0.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2025-27789 |
🟠 Medium |
6.2 |
Not Defined |
< 1% |
runtime-7.4.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🔴CVE-2024-45296
Vulnerable Library - path-to-regexp-1.7.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.7.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
sw-precache-webpack-plugin-0.11.5.tgz (Root Library)
- sw-precache-5.2.1.tgz
- sw-toolbox-3.6.0.tgz
- ❌ path-to-regexp-1.7.0.tgz (Vulnerable Library)
-
react-router-4.3.1.tgz (Root Library)
- ❌ path-to-regexp-1.7.0.tgz (Vulnerable Library)
-
react-router-dom-4.3.1.tgz (Root Library)
- react-router-4.3.1.tgz
- ❌ path-to-regexp-1.7.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: Sep 09, 2024 07:07 PM
URL: CVE-2024-45296
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: Sep 09, 2024 07:07 PM
Fix Resolution : path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0
🟠CVE-2025-27789
Vulnerable Library - runtime-7.4.5.tgz
babel's modular runtime helpers
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.4.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
backpack-core-0.8.3.tgz (Root Library)
- babel-preset-backpack-0.8.2.tgz
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
react-popper-1.3.3.tgz (Root Library)
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
react-mentions-4.0.1.tgz (Root Library)
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
react-redux-5.1.1.tgz (Root Library)
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
react-transition-group-2.9.0.tgz (Root Library)
- dom-helpers-3.4.0.tgz
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
react-router-dom-4.3.1.tgz (Root Library)
- history-4.9.0.tgz
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
react-image-1.5.1.tgz (Root Library)
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
-
history-4.9.0.tgz (Root Library)
- ❌ runtime-7.4.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: Mar 11, 2025 07:09 PM
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: Mar 11, 2025 07:09 PM
Fix Resolution : @babel/runtime-corejs3 - 7.26.10,@babel/runtime - 8.0.0-alpha.17,@babel/helpers - 8.0.0-alpha.17,@babel/runtime-corejs3 - 8.0.0-alpha.17,https://github.com/babel/babel.git - v7.26.10,@babel/runtime-corejs2 - 8.0.0-alpha.17,@babel/runtime - 7.26.10,@babel/helpers - 7.26.10,@babel/runtime-corejs2 - 7.26.10
📂 Vulnerable Library - react-router-dom-4.3.1.tgz
DOM bindings for React Router
Path to dependency file: /package.json
Findings
Details
🔴CVE-2024-45296
Vulnerable Library - path-to-regexp-1.7.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.7.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
sw-precache-webpack-plugin-0.11.5.tgz (Root Library)
react-router-4.3.1.tgz (Root Library)
react-router-dom-4.3.1.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: Sep 09, 2024 07:07 PM
URL: CVE-2024-45296
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: Sep 09, 2024 07:07 PM
Fix Resolution : path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0
🟠CVE-2025-27789
Vulnerable Library - runtime-7.4.5.tgz
babel's modular runtime helpers
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.4.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
backpack-core-0.8.3.tgz (Root Library)
react-popper-1.3.3.tgz (Root Library)
react-mentions-4.0.1.tgz (Root Library)
react-redux-5.1.1.tgz (Root Library)
react-transition-group-2.9.0.tgz (Root Library)
react-router-dom-4.3.1.tgz (Root Library)
react-image-1.5.1.tgz (Root Library)
history-4.9.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: Mar 11, 2025 07:09 PM
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: Mar 11, 2025 07:09 PM
Fix Resolution : @babel/runtime-corejs3 - 7.26.10,@babel/runtime - 8.0.0-alpha.17,@babel/helpers - 8.0.0-alpha.17,@babel/runtime-corejs3 - 8.0.0-alpha.17,https://github.com/babel/babel.git - v7.26.10,@babel/runtime-corejs2 - 8.0.0-alpha.17,@babel/runtime - 7.26.10,@babel/helpers - 7.26.10,@babel/runtime-corejs2 - 7.26.10