📂 Vulnerable Library - recompose-0.23.5.tgz
A React utility belt for function components and higher-order components
Path to dependency file: /api/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2022-0235 |
🔴 High |
8.8 |
Not Defined |
< 1% |
node-fetch-1.7.3.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2020-7733 |
🔴 High |
7.5 |
Not Defined |
1.2% |
ua-parser-js-0.7.19.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2020-7793 |
🔴 High |
7.5 |
Proof of concept |
2.6000001% |
ua-parser-js-0.7.19.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-27292 |
🔴 High |
7.5 |
Not Defined |
< 1% |
ua-parser-js-0.7.19.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-25927 |
🟠 Medium |
5.3 |
Proof of concept |
1.5% |
ua-parser-js-0.7.19.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2020-15168 |
🟡 Low |
2.6 |
Not Defined |
< 1% |
node-fetch-1.7.3.tgz |
Transitive |
N/A |
❌ |
 Reachable |
Details
🔴CVE-2022-0235
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /api/package.json
Dependency Hierarchy:
-
isomorphic-fetch-2.2.1.tgz (Root Library)
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
-
recompose-0.23.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
-
recompose-0.27.1.tgz (Root Library)
- fbjs-0.8.16.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: Jan 16, 2022 12:00 AM
URL: CVE-2022-0235
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: Jan 16, 2022 12:00 AM
Fix Resolution : node-fetch - 2.6.7,3.1.1
🔴CVE-2020-7733
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
draft-js-0.10.4.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-dom-15.6.2.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-popper-1.3.3.tgz (Root Library)
- create-react-context-0.2.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.23.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
slate-markdown-0.1.1.tgz (Root Library)
- react-15.6.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.27.1.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
draft-js-0.10.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: Sep 16, 2020 02:10 PM
URL: CVE-2020-7733
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: faisalman/ua-parser-js@233d3ba
Release Date: Sep 16, 2020 02:10 PM
Fix Resolution : ua-parser-js - 0.7.22
🔴CVE-2020-7793
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
draft-js-0.10.4.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-dom-15.6.2.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-popper-1.3.3.tgz (Root Library)
- create-react-context-0.2.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.23.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
slate-markdown-0.1.1.tgz (Root Library)
- react-15.6.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.27.1.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
draft-js-0.10.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: Dec 11, 2020 01:25 PM
URL: CVE-2020-7793
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:2.6000001%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: faisalman/ua-parser-js@6d1f26d
Release Date: Dec 11, 2020 01:25 PM
Fix Resolution : 0.7.23
🔴CVE-2021-27292
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
draft-js-0.10.4.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-dom-15.6.2.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-popper-1.3.3.tgz (Root Library)
- create-react-context-0.2.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.23.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
slate-markdown-0.1.1.tgz (Root Library)
- react-15.6.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.27.1.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
draft-js-0.10.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: Mar 17, 2021 12:34 PM
URL: CVE-2021-27292
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292
Release Date: Mar 17, 2021 12:34 PM
Fix Resolution : ua-parser-js - 0.7.24
🟠CVE-2022-25927
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
draft-js-0.10.4.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-dom-15.6.2.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
react-popper-1.3.3.tgz (Root Library)
- create-react-context-0.2.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.23.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
slate-markdown-0.1.1.tgz (Root Library)
- react-15.6.2.tgz
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
recompose-0.27.1.tgz (Root Library)
- fbjs-0.8.16.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
-
draft-js-0.10.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
Publish Date: Jan 25, 2023 05:00 AM
URL: CVE-2022-25927
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.5%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: faisalman/ua-parser-js@a6140a1
Release Date: Jan 25, 2023 05:00 AM
Fix Resolution : ua-parser-js - 0.7.33,1.0.33,UAParser.js - 0.7.33,UAParser.js - 1.0.33
🟡CVE-2020-15168
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /api/package.json
Dependency Hierarchy:
-
isomorphic-fetch-2.2.1.tgz (Root Library)
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
-
recompose-0.23.5.tgz (Root Library)
- fbjs-0.8.17.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
-
recompose-0.27.1.tgz (Root Library)
- fbjs-0.8.16.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- Spectrum-3.1.15/scripts/introspection-query.js (Application)
-> ❌ node-fetch-1.7.3/index.js (Vulnerable Component)
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: Sep 10, 2020 06:25 PM
URL: CVE-2020-15168
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.6
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: Sep 10, 2020 06:25 PM
Fix Resolution : 2.6.1,3.0.0-beta.9
📂 Vulnerable Library - recompose-0.23.5.tgz
A React utility belt for function components and higher-order components
Path to dependency file: /api/package.json
Findings
Details
🔴CVE-2022-0235
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /api/package.json
Dependency Hierarchy:
isomorphic-fetch-2.2.1.tgz (Root Library)
recompose-0.23.5.tgz (Root Library)
recompose-0.27.1.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: Jan 16, 2022 12:00 AM
URL: CVE-2022-0235
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: Jan 16, 2022 12:00 AM
Fix Resolution : node-fetch - 2.6.7,3.1.1
🔴CVE-2020-7733
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
draft-js-0.10.4.tgz (Root Library)
react-dom-15.6.2.tgz (Root Library)
react-popper-1.3.3.tgz (Root Library)
recompose-0.23.5.tgz (Root Library)
slate-markdown-0.1.1.tgz (Root Library)
recompose-0.27.1.tgz (Root Library)
draft-js-0.10.5.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: Sep 16, 2020 02:10 PM
URL: CVE-2020-7733
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: faisalman/ua-parser-js@233d3ba
Release Date: Sep 16, 2020 02:10 PM
Fix Resolution : ua-parser-js - 0.7.22
🔴CVE-2020-7793
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
draft-js-0.10.4.tgz (Root Library)
react-dom-15.6.2.tgz (Root Library)
react-popper-1.3.3.tgz (Root Library)
recompose-0.23.5.tgz (Root Library)
slate-markdown-0.1.1.tgz (Root Library)
recompose-0.27.1.tgz (Root Library)
draft-js-0.10.5.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: Dec 11, 2020 01:25 PM
URL: CVE-2020-7793
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:2.6000001%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: faisalman/ua-parser-js@6d1f26d
Release Date: Dec 11, 2020 01:25 PM
Fix Resolution : 0.7.23
🔴CVE-2021-27292
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
draft-js-0.10.4.tgz (Root Library)
react-dom-15.6.2.tgz (Root Library)
react-popper-1.3.3.tgz (Root Library)
recompose-0.23.5.tgz (Root Library)
slate-markdown-0.1.1.tgz (Root Library)
recompose-0.27.1.tgz (Root Library)
draft-js-0.10.5.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: Mar 17, 2021 12:34 PM
URL: CVE-2021-27292
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292
Release Date: Mar 17, 2021 12:34 PM
Fix Resolution : ua-parser-js - 0.7.24
🟠CVE-2022-25927
Vulnerable Library - ua-parser-js-0.7.19.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
draft-js-0.10.4.tgz (Root Library)
react-dom-15.6.2.tgz (Root Library)
react-popper-1.3.3.tgz (Root Library)
recompose-0.23.5.tgz (Root Library)
slate-markdown-0.1.1.tgz (Root Library)
recompose-0.27.1.tgz (Root Library)
draft-js-0.10.5.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
Publish Date: Jan 25, 2023 05:00 AM
URL: CVE-2022-25927
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.5%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: faisalman/ua-parser-js@a6140a1
Release Date: Jan 25, 2023 05:00 AM
Fix Resolution : ua-parser-js - 0.7.33,1.0.33,UAParser.js - 0.7.33,UAParser.js - 1.0.33
🟡CVE-2020-15168
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /api/package.json
Dependency Hierarchy:
isomorphic-fetch-2.2.1.tgz (Root Library)
recompose-0.23.5.tgz (Root Library)
recompose-0.27.1.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: Sep 10, 2020 06:25 PM
URL: CVE-2020-15168
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.6
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: Sep 10, 2020 06:25 PM
Fix Resolution : 2.6.1,3.0.0-beta.9