Skip to content

log4brains-1.0.1.tgz: 41 vulnerabilities (highest severity is: 10.0) #117

New issue
New issue
Open
Open
log4brains-1.0.1.tgz: 41 vulnerabilities (highest severity is: 10.0)#117
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Nov 7, 2024
Vulnerable Library - log4brains-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (log4brains version) Remediation Possible**
CVE-2025-6545 Critical 10.0 pbkdf2-3.1.2.tgz Transitive 1.1.0
CVE-2022-37601 Critical 9.8 loader-utils-1.2.3.tgz Transitive N/A*
CVE-2021-42740 Critical 9.8 shell-quote-1.7.2.tgz Transitive N/A*
CVE-2022-3224 Critical 9.4 parse-url-6.0.5.tgz Transitive N/A*
CVE-2022-2900 Critical 9.1 parse-url-6.0.5.tgz Transitive N/A*
CVE-2022-0235 High 8.8 node-fetch-2.6.1.tgz Transitive N/A*
CVE-2025-9288 High 8.7 sha.js-2.4.11.tgz Transitive 1.1.0
CVE-2022-25912 High 8.1 simple-git-2.48.0.tgz Transitive N/A*
CVE-2022-25860 High 8.1 simple-git-2.48.0.tgz Transitive N/A*
CVE-2022-24433 High 8.1 simple-git-2.48.0.tgz Transitive N/A*
CVE-2022-24066 High 8.1 simple-git-2.48.0.tgz Transitive N/A*
WS-2022-0238 High 7.5 parse-url-6.0.5.tgz Transitive N/A*
WS-2022-0237 High 7.5 parse-url-6.0.5.tgz Transitive N/A*
CVE-2026-33151 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2025-25975 High 7.5 parse-git-config-3.0.0.tgz Transitive N/A*
CVE-2024-51479 High 7.5 next-10.2.3.tgz Transitive N/A*
CVE-2023-46298 High 7.5 next-10.2.3.tgz Transitive N/A*
CVE-2022-37603 High 7.5 loader-utils-1.2.3.tgz Transitive N/A*
CVE-2022-37599 High 7.5 loader-utils-1.2.3.tgz Transitive N/A*
CVE-2021-43803 High 7.5 next-10.2.3.tgz Transitive N/A*
CVE-2021-39178 High 7.5 next-10.2.3.tgz Transitive N/A*
CVE-2021-3803 High 7.5 nth-check-1.0.2.tgz Transitive N/A*
CVE-2021-37699 Medium 6.9 next-10.2.3.tgz Transitive N/A*
CVE-2025-6547 Medium 6.8 pbkdf2-3.1.2.tgz Transitive 1.1.0
CVE-2026-29057 Medium 6.5 next-10.2.3.tgz Transitive N/A*
CVE-2025-57822 Medium 6.5 next-10.2.3.tgz Transitive N/A*
CVE-2022-0624 Medium 6.5 parse-path-4.0.4.tgz Transitive N/A*
CVE-2025-57752 Medium 6.2 next-10.2.3.tgz Transitive N/A*
CVE-2025-27789 Medium 6.2 runtime-7.12.5.tgz Transitive N/A*
WS-2022-0239 Medium 6.1 parse-url-6.0.5.tgz Transitive N/A*
CVE-2025-59471 Medium 5.9 next-10.2.3.tgz Transitive N/A*
CVE-2024-47831 Medium 5.9 next-10.2.3.tgz Transitive N/A*
CVE-2022-23646 Medium 5.9 next-10.2.3.tgz Transitive N/A*
CVE-2025-14505 Medium 5.6 elliptic-6.6.1.tgz Transitive N/A*
CVE-2026-27980 Medium 5.3 next-10.2.3.tgz Transitive N/A*
CVE-2026-2739 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2024-47764 Medium 5.3 cookie-0.4.2.tgz Transitive N/A*
CVE-2022-21670 Medium 5.3 markdown-it-11.0.1.tgz Transitive 1.1.0
CVE-2017-16137 Medium 5.3 debug-4.1.1.tgz Transitive N/A*
CVE-2025-55173 Medium 4.3 next-10.2.3.tgz Transitive N/A*
CVE-2025-32421 Low 3.7 next-10.2.3.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • crypto-browserify-3.12.0.tgz
          • pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution (pbkdf2): 3.1.3

Direct dependency fix Resolution (log4brains): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • styled-jsx-3.3.2.tgz
          • loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution: loader-utils - 1.4.1,2.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • react-dev-overlay-10.2.3.tgz
          • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-3224

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • git-url-parse-11.6.0.tgz
          • git-up-4.0.5.tgz
            • parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-15

URL: CVE-2022-3224

CVSS 3 Score Details (9.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pqw5-jmp5-px4v

Release Date: 2022-09-15

Fix Resolution: parse-url - 8.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-2900

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • git-url-parse-11.6.0.tgz
          • git-up-4.0.5.tgz
            • parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-14

URL: CVE-2022-2900

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j9fq-vwqv-2fm2

Release Date: 2022-09-14

Fix Resolution: parse-url - 8.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • crypto-browserify-3.12.0.tgz
          • pbkdf2-3.1.2.tgz
            • sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution (sha.js): 2.4.12

Direct dependency fix Resolution (log4brains): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-25912

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of "CVE-2022-24066" (https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-12-12

URL: CVE-2022-25912

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9p95-fxvg-qgq2

Release Date: 2022-12-12

Fix Resolution: simple-git - 3.15.0

Step up your Open Source Security Game with Mend here

CVE-2022-25860

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.
This vulnerability exists due to an incomplete fix of "CVE-2022-25912" (https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2023-01-24

URL: CVE-2022-25860

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w5j-4mwv-2wj8

Release Date: 2023-01-24

Fix Resolution: simple-git - 3.16.0

Step up your Open Source Security Game with Mend here

CVE-2022-24433

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

Publish Date: 2022-03-11

URL: CVE-2022-24433

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3f95-r44v-8mrg

Release Date: 2022-03-11

Fix Resolution: simple-git - 3.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-24066

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-04-01

URL: CVE-2022-24066

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-28xr-mwxg-3qc8

Release Date: 2022-04-01

Fix Resolution: simple-git - 3.5.0

Step up your Open Source Security Game with Mend here

WS-2022-0238

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • git-url-parse-11.6.0.tgz
          • git-up-4.0.5.tgz
            • parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.

Publish Date: 2022-06-30

URL: WS-2022-0238

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

WS-2022-0237

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • git-url-parse-11.6.0.tgz
          • git-up-4.0.5.tgz
            • parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url

Publish Date: 2022-07-04

URL: WS-2022-0237

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2026-33151

Vulnerable Libraries - socket.io-parser-3.4.3.tgz, socket.io-parser-3.3.4.tgz

socket.io-parser-3.4.3.tgz

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • socket.io-2.5.1.tgz
        • socket.io-parser-3.4.3.tgz (Vulnerable Library)

socket.io-parser-3.3.4.tgz

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • socket.io-client-2.5.0.tgz
        • socket.io-parser-3.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

Publish Date: 2026-03-20

URL: CVE-2026-33151

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-677m-j7p3-52f9

Release Date: 2026-03-18

Fix Resolution: socket.io-parser - 3.4.4,socket.io-parser - 4.2.6,socket.io-parser - 3.3.5

Step up your Open Source Security Game with Mend here

CVE-2025-25975

Vulnerable Library - parse-git-config-3.0.0.tgz

Parse `.git/config` into a JavaScript object. sync or async.

Library home page: https://registry.npmjs.org/parse-git-config/-/parse-git-config-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • parse-git-config-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function

Publish Date: 2025-03-12

URL: CVE-2025-25975

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2024-51479

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] "https://example.com/" * [Affected] "https://example.com/foo" * [Not affected] "https://example.com/foo/bar". This issue is patched in Next.js "14.2.15" and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

Publish Date: 2024-12-17

URL: CVE-2024-51479

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7gfc-8cq8-jh5f

Release Date: 2024-12-17

Fix Resolution: next - 14.2.15

Step up your Open Source Security Game with Mend here

CVE-2023-46298

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

Publish Date: 2023-10-22

URL: CVE-2023-46298

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c59h-r6p8-q9wc

Release Date: 2023-10-22

Fix Resolution: next - 13.4.20-canary.13

Step up your Open Source Security Game with Mend here

CVE-2022-37603

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • styled-jsx-3.3.2.tgz
          • loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-37599

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz
        • styled-jsx-3.3.2.tgz
          • loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhq3-ff78-jv3g

Release Date: 2022-10-11

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

Step up your Open Source Security Game with Mend here

CVE-2021-43803

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.

Publish Date: 2021-12-09

URL: CVE-2021-43803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25mp-g6fv-mqxx

Release Date: 2021-12-09

Fix Resolution: next - 11.1.3,12.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39178

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the "next.config.js" file must have "images.domains" array assigned and the image host assigned in "images.domains" must allow user-provided SVG. If the "next.config.js" file has "images.loader" assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.

Publish Date: 2021-08-30

URL: CVE-2021-39178

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9gr3-7897-pp7m

Release Date: 2021-08-30

Fix Resolution: next - 11.1.1

Step up your Open Source Security Game with Mend here

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • cli-1.0.0.tgz
      • core-1.0.0.tgz
        • cheerio-1.0.0-rc.3.tgz
          • css-select-1.2.0.tgz
            • nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rp65-9cf3-cjxr

Release Date: 2021-09-17

Fix Resolution: nth-check - 2.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-37699

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • log4brains-1.0.1.tgz (Root Library)
    • web-1.0.1.tgz
      • next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13

Found in base branch: main

Vulnerability Details

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.

Publish Date: 2021-08-11

URL: CVE-2021-37699

CVSS 3 Score Details (6.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vxf5-wxwp-m7g9

Release Date: 2021-08-11

Fix Resolution: next - 11.1.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions