Skip to content

jest-22.4.3.tgz: 61 vulnerabilities (highest severity is: 9.8) [alpha] (reachable) #231

Open
Open
jest-22.4.3.tgz: 61 vulnerabilities (highest severity is: 9.8) [alpha] (reachable)#231
@renovate

Description

@renovate
renovate
bot
opened on Mar 27, 2026
📂 Vulnerable Library - jest-22.4.3.tgz

Delightful JavaScript Testing.

Path to dependency file: /package.json

Partial results (21 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2019-19919 🟣 Critical 9.8 Not Defined 17.800001% handlebars-4.1.2.tgz Transitive N/A Unreachable
CVE-2021-44906 🟣 Critical 9.8 Not Defined < 1% minimist-0.0.10.tgz Transitive N/A Unreachable
CVE-2021-44906 🟣 Critical 9.8 Not Defined < 1% minimist-1.2.0.tgz Transitive N/A Unreachable
CVE-2023-45311 🟣 Critical 9.8 Not Defined < 1% fsevents-1.2.9.tgz Transitive N/A Unreachable
CVE-2026-33937 🟣 Critical 9.8 Not Defined < 1% handlebars-4.1.2.tgz Transitive N/A Unreachable
MSC-2023-16609 🟣 Critical 9.8 High < 1% fsevents-1.2.9.tgz Transitive N/A Unreachable
CVE-2023-45133 🟣 Critical 9.3 Not Defined < 1% babel-traverse-6.26.0.tgz Transitive N/A Unreachable
CVE-2025-7783 🔴 High 8.7 Not Defined < 1% form-data-2.3.3.tgz Transitive N/A Unreachable
CVE-2026-33941 🔴 High 8.2 Not Defined < 1% handlebars-4.1.2.tgz Transitive N/A Unreachable
CVE-2019-20920 🔴 High 8.1 Not Defined < 1% handlebars-4.1.2.tgz Transitive N/A Unreachable
CVE-2026-33938 🔴 High 8.1 Not Defined < 1% handlebars-4.1.2.tgz Transitive N/A Unreachable
CVE-2026-33940 🔴 High 8.1 Not Defined < 1% handlebars-4.1.2.tgz Transitive N/A Unreachable
CVE-2026-4800 🔴 High 8.1 Not Defined < 1% lodash-4.17.11.tgz Direct N/A Unreachable
CVE-2021-43138 🔴 High 7.8 Not Defined < 1% async-2.6.2.tgz Transitive N/A Unreachable
CVE-2019-20149 🔴 High 7.5 Not Defined < 1% kind-of-6.0.2.tgz Transitive N/A Unreachable
CVE-2019-20922 🔴 High 7.5 Not Defined < 1% handlebars-4.1.2.tgz Transitive N/A Unreachable
CVE-2021-3777 🔴 High 7.5 Not Defined < 1% tmpl-1.0.4.tgz Transitive N/A Unreachable
CVE-2021-3807 🔴 High 7.5 Not Defined < 1% ansi-regex-3.0.0.tgz Transitive N/A Unreachable
CVE-2022-24999 🔴 High 7.5 Not Defined 1.5% qs-6.5.2.tgz Transitive N/A Unreachable
CVE-2022-3517 🔴 High 7.5 Not Defined < 1% minimatch-3.0.4.tgz Transitive N/A Reachable
CVE-2024-37890 🔴 High 7.5 Not Defined < 1% ws-5.2.2.tgz Transitive N/A Unreachable

Details

🟣CVE-2019-19919

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Dec 20, 2019 10:50 PM

URL: CVE-2019-19919

Threat Assessment

Exploit Maturity:Not Defined

EPSS:17.800001%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-w457-6q6x-cgp9

Release Date: Dec 20, 2019 10:50 PM

Fix Resolution : handlebars - 3.0.8,4.3.0

🟣CVE-2021-44906

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz
            • optimist-0.6.1.tgz
              • minimist-0.0.10.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz
            • optimist-0.6.1.tgz
              • minimist-0.0.10.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: Mar 17, 2022 01:05 PM

URL: CVE-2021-44906

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: Mar 17, 2022 01:05 PM

Fix Resolution : minimist - 0.2.4,1.2.6

🟣CVE-2021-44906

Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • cypress-3.6.1.tgz (Root Library)

    • minimist-1.2.0.tgz (Vulnerable Library)

  • sw-precache-webpack-plugin-0.11.5.tgz (Root Library)

    • sw-precache-5.2.1.tgz
      • update-notifier-2.5.0.tgz
        • latest-version-3.1.0.tgz
          • package-json-4.0.1.tgz
            • registry-url-3.1.0.tgz
              • rc-1.2.8.tgz
                • minimist-1.2.0.tgz (Vulnerable Library)

  • backpack-core-0.8.3.tgz (Root Library)

    • nodemon-1.19.1.tgz
      • chokidar-2.1.6.tgz
        • fsevents-1.2.9.tgz
          • node-pre-gyp-0.12.0.tgz
            • rc-1.2.8.tgz
              • minimist-1.2.0.tgz (Vulnerable Library)

  • web-push-3.3.5.tgz (Root Library)

    • minimist-1.2.0.tgz (Vulnerable Library)

  • browserify-preprocessor-1.1.2.tgz (Root Library)

    • watchify-3.11.0.tgz
      • chokidar-1.7.0.tgz
        • fsevents-1.2.9.tgz
          • node-pre-gyp-0.12.0.tgz
            • rc-1.2.8.tgz
              • minimist-1.2.0.tgz (Vulnerable Library)

  • datadog-metrics-0.8.1.tgz (Root Library)

    • dogapi-1.1.0.tgz
      • minimist-1.2.0.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-haste-map-22.4.3.tgz
        • sane-2.5.2.tgz
          • watch-0.18.0.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • jest-haste-map-21.2.0.tgz
        • sane-2.5.2.tgz
          • watch-0.18.0.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: Mar 17, 2022 01:05 PM

URL: CVE-2021-44906

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: Mar 17, 2022 01:05 PM

Fix Resolution : minimist - 0.2.4,1.2.6

🟣CVE-2023-45311

Vulnerable Library - fsevents-1.2.9.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • backpack-core-0.8.3.tgz (Root Library)

    • nodemon-1.19.1.tgz
      • chokidar-2.1.6.tgz
        • fsevents-1.2.9.tgz (Vulnerable Library)

  • browserify-preprocessor-1.1.2.tgz (Root Library)

    • babel-plugin-add-module-exports-1.0.0.tgz
      • chokidar-2.1.6.tgz
        • fsevents-1.2.9.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-haste-map-22.4.3.tgz
        • sane-2.5.2.tgz
          • fsevents-1.2.9.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • jest-haste-map-21.2.0.tgz
        • sane-2.5.2.tgz
          • fsevents-1.2.9.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Publish Date: Oct 06, 2023 12:00 AM

URL: CVE-2023-45311

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-45311

Release Date: Oct 06, 2023 12:00 AM

Fix Resolution : fsevents - 1.2.11

🟣CVE-2026-33937

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "Handlebars.compile()" accepts a pre-parsed AST object in addition to a template string. The "value" field of a "NumberLiteral" AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to "compile()" can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling "Handlebars.compile()"; ensure the argument is always a "string", never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build ("handlebars/runtime") on the server if templates are pre-compiled at build time; "compile()" will be unavailable.

Publish Date: Mar 27, 2026 09:03 PM

URL: CVE-2026-33937

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@68d8df5

Release Date: Mar 27, 2026 09:03 PM

Fix Resolution : https://github.com/handlebars-lang/handlebars.js.git - v4.7.9

🟣MSC-2023-16609

Vulnerable Library - fsevents-1.2.9.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • backpack-core-0.8.3.tgz (Root Library)

    • nodemon-1.19.1.tgz
      • chokidar-2.1.6.tgz
        • fsevents-1.2.9.tgz (Vulnerable Library)

  • browserify-preprocessor-1.1.2.tgz (Root Library)

    • babel-plugin-add-module-exports-1.0.0.tgz
      • chokidar-2.1.6.tgz
        • fsevents-1.2.9.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-haste-map-22.4.3.tgz
        • sane-2.5.2.tgz
          • fsevents-1.2.9.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • jest-haste-map-21.2.0.tgz
        • sane-2.5.2.tgz
          • fsevents-1.2.9.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Publish Date: Sep 20, 2023 12:00 AM

URL: MSC-2023-16609

Threat Assessment

Exploit Maturity:High

EPSS:< 1%

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟣CVE-2023-45133

Vulnerable Library - babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • babel-preset-env-1.7.0.tgz (Root Library)

    • babel-plugin-transform-exponentiation-operator-6.24.1.tgz
      • babel-helper-builder-binary-assignment-operator-visitor-6.24.1.tgz
        • babel-helper-explode-assignable-expression-6.24.1.tgz
          • babel-traverse-6.26.0.tgz (Vulnerable Library)

  • babel-plugin-replace-dynamic-import-runtime-1.0.2.tgz (Root Library)

    • babel-template-6.26.0.tgz
      • babel-traverse-6.26.0.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-runtime-22.4.4.tgz
        • babel-plugin-istanbul-4.1.6.tgz
          • istanbul-lib-instrument-1.10.2.tgz
            • babel-traverse-6.26.0.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-lib-instrument-1.10.2.tgz
          • babel-traverse-6.26.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Babel is a compiler for writingJavaScript. In "@babel/traverse" prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of "babel-traverse", using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the "path.evaluate()"or "path.evaluateTruthy()" internal Babel methods. Known affected plugins are "@babel/plugin-transform-runtime"; "@babel/preset-env" when using its "useBuiltIns" option; and any "polyfill provider" plugin that depends on "@babel/helper-define-polyfill-provider", such as "babel-plugin-polyfill-corejs3", "babel-plugin-polyfill-corejs2", "babel-plugin-polyfill-es-shims", "babel-plugin-polyfill-regenerator". No other plugins under the "@babel/" namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in "@babel/traverse@7.23.2" and "@babel/traverse@8.0.0-alpha.4". Those who cannot upgrade "@babel/traverse" and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected "@babel/traverse" versions: "@babel/plugin-transform-runtime" v7.23.2, "@babel/preset-env" v7.23.2, "@babel/helper-define-polyfill-provider" v0.4.3, "babel-plugin-polyfill-corejs2" v0.4.6, "babel-plugin-polyfill-corejs3" v0.8.5, "babel-plugin-polyfill-es-shims" v0.10.0, "babel-plugin-polyfill-regenerator" v0.5.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Oct 12, 2023 04:17 PM

URL: CVE-2023-45133

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: Oct 12, 2023 04:17 PM

Fix Resolution : @babel/traverse - 7.23.2,@babel/traverse - 7.23.2

🔴CVE-2025-7783

Vulnerable Library - form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • cypress-3.6.1.tgz (Root Library)

    • request-2.88.0.tgz
      • form-data-2.3.3.tgz (Vulnerable Library)

  • request-2.88.0.tgz (Root Library)

    • form-data-2.3.3.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-environment-jsdom-22.4.3.tgz
        • jsdom-11.12.0.tgz
          • request-2.88.0.tgz
            • form-data-2.3.3.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • jest-environment-jsdom-21.2.1.tgz
        • jsdom-9.12.0.tgz
          • request-2.88.0.tgz
            • form-data-2.3.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jul 18, 2025 04:34 PM

URL: CVE-2025-7783

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: Jul 18, 2025 04:34 PM

Fix Resolution : form-data - 2.5.4,form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4

🔴CVE-2026-33941

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler ("bin/handlebars" / "lib/precompiler.js") concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (""", "'", ";", etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.

Publish Date: Mar 27, 2026 09:13 PM

URL: CVE-2026-33941

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@68d8df5

Release Date: Mar 27, 2026 09:13 PM

Fix Resolution : https://github.com/handlebars-lang/handlebars.js.git - v4.7.9

🔴CVE-2019-20920

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: Sep 30, 2020 12:30 PM

URL: CVE-2019-20920

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: Sep 30, 2020 12:30 PM

Fix Resolution : handlebars - 4.5.3

🔴CVE-2026-33938

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the "@partial-block" special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites "@partial-block" with a crafted Handlebars AST, a subsequent invocation of "{{> @partial-block}}" compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). The "compile()" method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as "handlebars-helpers") in contexts where templates or context data can be influenced by untrusted input.

Publish Date: Mar 27, 2026 09:05 PM

URL: CVE-2026-33938

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@68d8df5

Release Date: Mar 27, 2026 09:05 PM

Fix Resolution : https://github.com/handlebars-lang/handlebars.js.git - v4.7.9

🔴CVE-2026-33940

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in "resolvePartial()" and cause "invokePartial()" to return "undefined". The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to "env.compile()". Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). Without "compile()", the fallback compilation path in "invokePartial" is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ("{{> (lookup ...)}}") when context data is user-controlled.

Publish Date: Mar 27, 2026 09:11 PM

URL: CVE-2026-33940

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@68d8df5

Release Date: Mar 27, 2026 09:11 PM

Fix Resolution : https://github.com/handlebars-lang/handlebars.js.git - v4.7.9

🔴CVE-2026-4800

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • flow-typed-2.6.2.tgz (Root Library)

    • table-5.4.0.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

  • react-app-rewire-styled-components-3.0.2.tgz (Root Library)

    • babel-plugin-styled-components-1.10.0.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

  • backpack-core-0.8.3.tgz (Root Library)

    • babel-preset-backpack-0.8.2.tgz
      • core-7.4.5.tgz
        • lodash-4.17.11.tgz (Vulnerable Library)

  • redux-3.7.2.tgz (Root Library)

    • lodash-4.17.11.tgz (Vulnerable Library)

  • flow-typed-2.5.2.tgz (Root Library)

    • rest-15.18.1.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

  • babel-plugin-replace-dynamic-import-runtime-1.0.2.tgz (Root Library)

    • babel-types-6.26.0.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-environment-jsdom-22.4.3.tgz
        • jsdom-11.12.0.tgz
          • request-promise-native-1.0.7.tgz
            • request-promise-core-1.1.2.tgz
              • lodash-4.17.11.tgz (Vulnerable Library)

  • lodash-4.17.11.tgz (Vulnerable Library)

  • aws-sdk-2.200.0.tgz (Root Library)

    • xmlbuilder-4.2.1.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

  • babel-plugin-styled-components-1.10.0.tgz (Root Library)

    • lodash-4.17.11.tgz (Vulnerable Library)

  • cypress-3.6.1.tgz (Root Library)

    • getos-3.1.1.tgz
      • async-2.6.1.tgz
        • lodash-4.17.11.tgz (Vulnerable Library)

  • draft-js-code-editor-plugin-0.2.1.tgz (Root Library)

    • babel-plugin-transform-react-jsx-6.24.1.tgz
      • babel-helper-builder-react-jsx-6.26.0.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

  • styled-components-4.2.1.tgz (Root Library)

    • babel-plugin-styled-components-1.10.0.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

  • slate-0.44.13.tgz (Root Library)

    • lodash-4.17.11.tgz (Vulnerable Library)

  • browserify-preprocessor-1.1.2.tgz (Root Library)

    • preset-react-7.0.0.tgz
      • plugin-transform-react-jsx-7.3.0.tgz
        • helper-builder-react-jsx-7.3.0.tgz
          • types-7.4.4.tgz
            • lodash-4.17.11.tgz (Vulnerable Library)

  • babel-preset-env-1.7.0.tgz (Root Library)

    • babel-plugin-transform-regenerator-6.26.0.tgz
      • regenerator-transform-0.10.1.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

  • hpp-0.2.2.tgz (Root Library)

    • lodash-4.17.11.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • async-2.6.2.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Publish Date: Mar 31, 2026 07:25 PM

URL: CVE-2026-4800

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2021-43138

Vulnerable Library - async-2.6.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • async-2.6.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • async-2.6.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: Apr 06, 2022 12:00 AM

URL: CVE-2021-43138

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.8

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: Apr 06, 2022 12:00 AM

Fix Resolution : async - 2.6.4,3.2.2

🔴CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • backpack-core-0.8.3.tgz (Root Library)

    • nodemon-1.19.1.tgz
      • chokidar-2.1.6.tgz
        • anymatch-2.0.0.tgz
          • micromatch-3.1.10.tgz
            • kind-of-6.0.2.tgz (Vulnerable Library)

  • browserify-preprocessor-1.1.2.tgz (Root Library)

    • babel-plugin-add-module-exports-1.0.0.tgz
      • chokidar-2.1.6.tgz
        • braces-2.3.2.tgz
          • snapdragon-node-2.1.1.tgz
            • define-property-1.0.0.tgz
              • is-descriptor-1.0.2.tgz
                • is-data-descriptor-1.0.0.tgz
                  • kind-of-6.0.2.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • micromatch-2.3.11.tgz
        • braces-1.8.5.tgz
          • expand-range-1.8.2.tgz
            • fill-range-2.2.4.tgz
              • randomatic-3.1.1.tgz
                • kind-of-6.0.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • micromatch-2.3.11.tgz
        • braces-1.8.5.tgz
          • expand-range-1.8.2.tgz
            • fill-range-2.2.4.tgz
              • randomatic-3.1.1.tgz
                • kind-of-6.0.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: Dec 30, 2019 06:25 PM

URL: CVE-2019-20149

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of#31

Release Date: Dec 30, 2019 06:25 PM

Fix Resolution : kind-of - 6.0.3

🔴CVE-2019-20922

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • istanbul-reports-1.5.1.tgz
          • handlebars-4.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: Sep 30, 2020 12:30 PM

URL: CVE-2019-20922

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: Sep 30, 2020 12:30 PM

Fix Resolution : handlebars - 4.4.5

🔴CVE-2021-3777

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-haste-map-22.4.3.tgz
        • sane-2.5.2.tgz
          • walker-1.0.7.tgz
            • makeerror-1.0.11.tgz
              • tmpl-1.0.4.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • jest-haste-map-21.2.0.tgz
        • sane-2.5.2.tgz
          • walker-1.0.7.tgz
            • makeerror-1.0.11.tgz
              • tmpl-1.0.4.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: Sep 15, 2021 07:15 AM

URL: CVE-2021-3777

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2021-3807

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • strip-ansi-4.0.0.tgz
        • ansi-regex-3.0.0.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • strip-ansi-4.0.0.tgz
        • ansi-regex-3.0.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: Sep 17, 2021 12:00 AM

URL: CVE-2021-3807

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • cypress-3.6.1.tgz (Root Library)

    • request-2.88.0.tgz
      • qs-6.5.2.tgz (Vulnerable Library)

  • request-2.88.0.tgz (Root Library)

    • qs-6.5.2.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-environment-jsdom-22.4.3.tgz
        • jsdom-11.12.0.tgz
          • request-2.88.0.tgz
            • qs-6.5.2.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • jest-environment-jsdom-21.2.1.tgz
        • jsdom-9.12.0.tgz
          • request-2.88.0.tgz
            • qs-6.5.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Nov 26, 2022 12:00 AM

URL: CVE-2022-24999

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.5%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: Nov 26, 2022 12:00 AM

Fix Resolution : qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3

🔴CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • eslint-plugin-node-6.0.1.tgz (Root Library)

    • minimatch-3.0.4.tgz (Vulnerable Library)

  • flow-typed-2.6.2.tgz (Root Library)

    • glob-7.1.4.tgz
      • minimatch-3.0.4.tgz (Vulnerable Library)

  • sw-precache-webpack-plugin-0.11.5.tgz (Root Library)

    • sw-precache-5.2.1.tgz
      • glob-7.1.4.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

  • offline-plugin-4.9.1.tgz (Root Library)

    • minimatch-3.0.4.tgz (Vulnerable Library)

  • backpack-core-0.8.3.tgz (Root Library)

    • nodemon-1.19.1.tgz
      • chokidar-2.1.6.tgz
        • fsevents-1.2.9.tgz
          • node-pre-gyp-0.12.0.tgz
            • npm-packlist-1.4.1.tgz
              • ignore-walk-3.0.1.tgz
                • minimatch-3.0.4.tgz (Vulnerable Library)

  • flow-typed-2.5.2.tgz (Root Library)

    • glob-7.1.4.tgz
      • minimatch-3.0.4.tgz (Vulnerable Library)

  • browserify-preprocessor-1.1.2.tgz (Root Library)

    • watchify-3.11.0.tgz
      • chokidar-1.7.0.tgz
        • fsevents-1.2.9.tgz
          • node-pre-gyp-0.12.0.tgz
            • npm-packlist-1.4.1.tgz
              • ignore-walk-3.0.1.tgz
                • minimatch-3.0.4.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-runtime-22.4.4.tgz
        • babel-core-6.26.3.tgz
          • minimatch-3.0.4.tgz (Vulnerable Library)

  • offline-plugin-5.0.7.tgz (Root Library)

    • minimatch-3.0.4.tgz (Vulnerable Library)

  • jest-21.2.1.tgz (Root Library)

    • jest-cli-21.2.1.tgz
      • istanbul-api-1.3.7.tgz
        • fileset-2.0.3.tgz
          • minimatch-3.0.4.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- Spectrum-3.1.15/config-overrides.js (Application)
    - offline-plugin-5.0.7/lib/index.js (Extension)
        -> ❌ minimatch-3.0.4/minimatch.js (Vulnerable Component)

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: Oct 17, 2022 12:00 AM

URL: CVE-2022-3517

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2024-37890

Vulnerable Library - ws-5.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • apollo-server-express-2.5.0-alpha.0.tgz (Root Library)

    • apollo-server-core-2.5.0-alpha.0.tgz
      • subscriptions-transport-ws-0.9.16.tgz
        • ws-5.2.2.tgz (Vulnerable Library)

  • jest-22.4.3.tgz (Root Library)

    • jest-cli-22.4.4.tgz
      • jest-environment-jsdom-22.4.3.tgz
        • jsdom-11.12.0.tgz
          • ws-5.2.2.tgz (Vulnerable Library)

  • apollo-server-express-2.9.12.tgz (Root Library)

    • apollo-server-core-2.9.12.tgz
      • subscriptions-transport-ws-0.9.16.tgz
        • ws-5.2.2.tgz (Vulnerable Library)

  • subscriptions-transport-ws-0.9.16.tgz (Root Library)

    • ws-5.2.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: Jun 17, 2024 07:09 PM

URL: CVE-2024-37890

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: Jun 17, 2024 07:09 PM

Fix Resolution : ws - 5.2.4,6.2.3,7.5.10,8.17.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions