draft-js-0.10.5.tgz: 5 vulnerabilities (highest severity is: 7.5) [alpha] (unreachable)

[renovate]

📂 Vulnerable Library - draft-js-0.10.5.tgz

A React framework for building text editors.

Path to dependency file: /api/package.json

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2020-7733	🔴 High	7.5	Not Defined	1.2%	ua-parser-js-0.7.19.tgz	Transitive	N/A	❌	Unreachable
CVE-2020-7793	🔴 High	7.5	Proof of concept	2.6000001%	ua-parser-js-0.7.19.tgz	Transitive	N/A	❌	Unreachable
CVE-2021-27292	🔴 High	7.5	Not Defined	< 1%	ua-parser-js-0.7.19.tgz	Transitive	N/A	❌	Unreachable
CVE-2026-29063	🔴 High	7.5	Not Defined	< 1%	immutable-3.7.6.tgz	Transitive	N/A	❌	Unreachable
CVE-2022-25927	🟠 Medium	5.3	Proof of concept	1.5%	ua-parser-js-0.7.19.tgz	Transitive	N/A	❌	Unreachable

Details

🔴CVE-2020-7733

Vulnerable Library - ua-parser-js-0.7.19.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

• draft-js-0.10.4.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-dom-15.6.2.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-popper-1.3.3.tgz (Root Library)

  • create-react-context-0.2.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.23.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• slate-markdown-0.1.1.tgz (Root Library)

  • react-15.6.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.27.1.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• draft-js-0.10.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: Sep 16, 2020 02:10 PM

URL: CVE-2020-7733

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.2%

Score: 7.5

---

Suggested Fix

Type: Upgrade version

Origin: faisalman/ua-parser-js@233d3ba

Release Date: Sep 16, 2020 02:10 PM

Fix Resolution : ua-parser-js - 0.7.22

🔴CVE-2020-7793

Vulnerable Library - ua-parser-js-0.7.19.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

• draft-js-0.10.4.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-dom-15.6.2.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-popper-1.3.3.tgz (Root Library)

  • create-react-context-0.2.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.23.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• slate-markdown-0.1.1.tgz (Root Library)

  • react-15.6.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.27.1.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• draft-js-0.10.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: Dec 11, 2020 01:25 PM

URL: CVE-2020-7793

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:2.6000001%

Score: 7.5

---

Suggested Fix

Type: Upgrade version

Origin: faisalman/ua-parser-js@6d1f26d

Release Date: Dec 11, 2020 01:25 PM

Fix Resolution : 0.7.23

🔴CVE-2021-27292

Vulnerable Library - ua-parser-js-0.7.19.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

• draft-js-0.10.4.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-dom-15.6.2.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-popper-1.3.3.tgz (Root Library)

  • create-react-context-0.2.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.23.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• slate-markdown-0.1.1.tgz (Root Library)

  • react-15.6.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.27.1.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• draft-js-0.10.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: Mar 17, 2021 12:34 PM

URL: CVE-2021-27292

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292

Release Date: Mar 17, 2021 12:34 PM

Fix Resolution : ua-parser-js - 0.7.24

🔴CVE-2026-29063

Vulnerable Library - immutable-3.7.6.tgz

Immutable Data Collections

Library home page: https://registry.npmjs.org/immutable/-/immutable-3.7.6.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

• draft-js-markdown-plugin-1.4.4.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-drag-n-drop-plugin-2.0.0-rc9.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-linkify-plugin-2.0.1.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-code-editor-plugin-0.2.1.tgz (Root Library)

  • draft-js-0.10.5.tgz
    • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-plugins-editor-2.1.1.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-focus-plugin-2.0.0-rc2.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-image-plugin-2.0.0-rc8.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-0.10.5.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Publish Date: Mar 06, 2026 06:25 PM

URL: CVE-2026-29063

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-wf6x-7x77-mvgw

Release Date: Mar 06, 2026 06:25 PM

Fix Resolution : https://github.com/immutable-js/immutable-js.git - v3.8.3,https://github.com/immutable-js/immutable-js.git - v4.3.7,https://github.com/immutable-js/immutable-js.git - v5.1.5

🟠CVE-2022-25927

Vulnerable Library - ua-parser-js-0.7.19.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.19.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

• draft-js-0.10.4.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-dom-15.6.2.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• react-popper-1.3.3.tgz (Root Library)

  • create-react-context-0.2.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.23.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• slate-markdown-0.1.1.tgz (Root Library)

  • react-15.6.2.tgz
    • fbjs-0.8.16.tgz
      • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• recompose-0.27.1.tgz (Root Library)

  • fbjs-0.8.16.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

• draft-js-0.10.5.tgz (Root Library)

  • fbjs-0.8.17.tgz
    • ❌ ua-parser-js-0.7.19.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

Publish Date: Jan 25, 2023 05:00 AM

URL: CVE-2022-25927

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:1.5%

Score: 5.3

---

Suggested Fix

Type: Upgrade version

Origin: faisalman/ua-parser-js@a6140a1

Release Date: Jan 25, 2023 05:00 AM

Fix Resolution : ua-parser-js - 0.7.33,1.0.33,UAParser.js - 0.7.33,UAParser.js - 1.0.33