synthetix-js-2.66.2.tgz: 21 vulnerabilities (highest severity is: 9.8) #5
Description
Vulnerable Library - synthetix-js-2.66.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (synthetix-js version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2021-44906 | Critical | 9.8 | minimist-1.2.5.tgz | Transitive | 2.68.2 | ✅ |
CVE-2023-45133 | High | 8.8 | detected in multiple dependencies | Transitive | 2.68.2 | ✅ |
CVE-2022-46175 | High | 8.8 | json5-0.5.1.tgz | Transitive | N/A* | ❌ |
CVE-2021-43138 | High | 7.8 | async-2.6.3.tgz | Transitive | 2.68.2 | ✅ |
CVE-2020-13822 | High | 7.7 | elliptic-6.5.2.tgz | Transitive | N/A* | ❌ |
CVE-2022-38900 | High | 7.5 | decode-uri-component-0.2.0.tgz | Transitive | 2.68.2 | ✅ |
CVE-2022-25901 | High | 7.5 | cookiejar-2.1.2.tgz | Transitive | 2.68.2 | ✅ |
CVE-2022-25883 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2021-3807 | High | 7.5 | detected in multiple dependencies | Transitive | 2.68.2 | ✅ |
CVE-2020-8203 | High | 7.4 | lodash-4.17.15.tgz | Transitive | N/A* | ❌ |
CVE-2021-23337 | High | 7.2 | lodash-4.17.15.tgz | Transitive | N/A* | ❌ |
CVE-2020-28498 | Medium | 6.8 | elliptic-6.5.2.tgz | Transitive | N/A* | ❌ |
CVE-2023-45857 | Medium | 6.5 | axios-0.18.1.tgz | Transitive | N/A* | ❌ |
CVE-2022-1365 | Medium | 6.5 | cross-fetch-2.2.3.tgz | Transitive | 2.68.2 | ✅ |
CVE-2023-28155 | Medium | 6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
CVE-2022-0235 | Medium | 6.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
WS-2019-0424 | Medium | 5.9 | elliptic-6.5.2.tgz | Transitive | N/A* | ❌ |
CVE-2020-28168 | Medium | 5.9 | axios-0.18.1.tgz | Transitive | N/A* | ❌ |
CVE-2021-32640 | Medium | 5.3 | ws-7.3.0.tgz | Transitive | 2.68.2 | ✅ |
CVE-2020-28500 | Medium | 5.3 | lodash-4.17.15.tgz | Transitive | N/A* | ❌ |
CVE-2020-15168 | Medium | 5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- eth-json-rpc-middleware-1.6.0.tgz
- tape-4.13.3.tgz
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
- tape-4.13.3.tgz
- eth-json-rpc-middleware-1.6.0.tgz
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-45133
Vulnerable Libraries - traverse-7.14.5.tgz, babel-traverse-6.26.0.tgz
traverse-7.14.5.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.14.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- eth-block-tracker-4.4.3.tgz
- plugin-transform-runtime-7.14.5.tgz
- babel-plugin-polyfill-corejs3-0.2.2.tgz
- helper-define-polyfill-provider-0.2.3.tgz
- ❌ traverse-7.14.5.tgz (Vulnerable Library)
- helper-define-polyfill-provider-0.2.3.tgz
- babel-plugin-polyfill-corejs3-0.2.2.tgz
- plugin-transform-runtime-7.14.5.tgz
- eth-block-tracker-4.4.3.tgz
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
babel-traverse-6.26.0.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- json-rpc-engine-3.8.0.tgz
- babel-preset-env-1.7.0.tgz
- babel-plugin-transform-es2015-block-scoping-6.26.0.tgz
- ❌ babel-traverse-6.26.0.tgz (Vulnerable Library)
- babel-plugin-transform-es2015-block-scoping-6.26.0.tgz
- babel-preset-env-1.7.0.tgz
- json-rpc-engine-3.8.0.tgz
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2
and @babel/traverse@8.0.0-alpha.4
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (synthetix-js): 2.68.2
Fix Resolution (babel-traverse): 7.23.2
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-46175
Vulnerable Library - json5-0.5.1.tgz
JSON for the ES5 era.
Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- json-rpc-engine-3.8.0.tgz
- babelify-7.3.0.tgz
- babel-core-6.26.3.tgz
- ❌ json5-0.5.1.tgz (Vulnerable Library)
- babel-core-6.26.3.tgz
- babelify-7.3.0.tgz
- json-rpc-engine-3.8.0.tgz
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution: json5 - 2.2.2
CVE-2021-43138
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-13822
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- ethers-4.0.44.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- ethers-4.0.44.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: v6.5.3
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- utils-1.4.1.tgz
- query-string-6.13.5.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- query-string-6.13.5.tgz
- utils-1.4.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-25901
Vulnerable Library - cookiejar-2.1.2.tgz
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- http-connection-1.4.1.tgz
- xhr2-cookies-1.1.0.tgz
- ❌ cookiejar-2.1.2.tgz (Vulnerable Library)
- xhr2-cookies-1.1.0.tgz
- http-connection-1.4.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution (cookiejar): 2.1.4
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-25883
Vulnerable Libraries - semver-5.4.1.tgz, semver-6.3.0.tgz, semver-7.0.0.tgz, semver-5.7.1.tgz
semver-5.4.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- ethereumjs-block-1.7.1.tgz
- merkle-patricia-tree-2.3.2.tgz
- levelup-1.3.9.tgz
- ❌ semver-5.4.1.tgz (Vulnerable Library)
- levelup-1.3.9.tgz
- merkle-patricia-tree-2.3.2.tgz
- ethereumjs-block-1.7.1.tgz
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
semver-6.3.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- eth-block-tracker-4.4.3.tgz
- plugin-transform-runtime-7.14.5.tgz
- babel-plugin-polyfill-corejs2-0.2.2.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
- babel-plugin-polyfill-corejs2-0.2.2.tgz
- plugin-transform-runtime-7.14.5.tgz
- eth-block-tracker-4.4.3.tgz
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
semver-7.0.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- eth-block-tracker-4.4.3.tgz
- plugin-transform-runtime-7.14.5.tgz
- babel-plugin-polyfill-corejs3-0.2.2.tgz
- core-js-compat-3.14.0.tgz
- ❌ semver-7.0.0.tgz (Vulnerable Library)
- core-js-compat-3.14.0.tgz
- babel-plugin-polyfill-corejs3-0.2.2.tgz
- plugin-transform-runtime-7.14.5.tgz
- eth-block-tracker-4.4.3.tgz
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- json-rpc-engine-3.8.0.tgz
- babel-preset-env-1.7.0.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
- babel-preset-env-1.7.0.tgz
- json-rpc-engine-3.8.0.tgz
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
CVE-2021-3807
Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz
ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- synthetix-2.66.2.tgz
- inquirer-6.5.2.tgz
- strip-ansi-5.2.0.tgz
- ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)
- strip-ansi-5.2.0.tgz
- inquirer-6.5.2.tgz
- synthetix-2.66.2.tgz
ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- synthetix-2.66.2.tgz
- inquirer-6.5.2.tgz
- string-width-2.1.1.tgz
- strip-ansi-4.0.0.tgz
- ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)
- strip-ansi-4.0.0.tgz
- string-width-2.1.1.tgz
- inquirer-6.5.2.tgz
- synthetix-2.66.2.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (synthetix-js): 2.68.2
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-8203
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution: lodash - 4.17.19
CVE-2021-23337
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21
CVE-2020-28498
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- ethers-4.0.44.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- ethers-4.0.44.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: elliptic - 6.5.4
CVE-2023-45857
Vulnerable Library - axios-0.18.1.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- pocket-js-core-0.0.3.tgz
- ❌ axios-0.18.1.tgz (Vulnerable Library)
- pocket-js-core-0.0.3.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution: axios - 1.6.0
CVE-2022-1365
Vulnerable Library - cross-fetch-2.2.3.tgz
Universal WHATWG Fetch API for Node, Browsers and React Native
Library home page: https://registry.npmjs.org/cross-fetch/-/cross-fetch-2.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- ❌ cross-fetch-2.2.3.tgz (Vulnerable Library)
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
Publish Date: 2022-04-15
URL: CVE-2022-1365
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1365
Release Date: 2022-04-15
Fix Resolution (cross-fetch): 2.2.6
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- ❌ request-2.88.2.tgz (Vulnerable Library)
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2022-0235
Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.1.2.tgz
node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- eth-json-rpc-middleware-1.6.0.tgz
- fetch-ponyfill-4.1.0.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- fetch-ponyfill-4.1.0.tgz
- eth-json-rpc-middleware-1.6.0.tgz
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
node-fetch-2.1.2.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- cross-fetch-2.2.3.tgz
- ❌ node-fetch-2.1.2.tgz (Vulnerable Library)
- cross-fetch-2.2.3.tgz
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
WS-2019-0424
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- ethers-4.0.44.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- ethers-4.0.44.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;Romano.Vue - 1.0.1;org.webjars.npm:elliptic - 6.5.4,6.3.3;VueJS.NetCore - 1.1.1;elliptic - 6.5.3;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6
CVE-2020-28168
Vulnerable Library - axios-0.18.1.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- pocket-js-core-0.0.3.tgz
- ❌ axios-0.18.1.tgz (Vulnerable Library)
- pocket-js-core-0.0.3.tgz
- web3-2.0.0-beta.59.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution: axios - 0.21.1
CVE-2021-32640
Vulnerable Library - ws-7.3.0.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- client-1.4.1.tgz
- core-1.4.1.tgz
- socket-transport-1.4.1.tgz
- ❌ ws-7.3.0.tgz (Vulnerable Library)
- socket-transport-1.4.1.tgz
- core-1.4.1.tgz
- client-1.4.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (synthetix-js): 2.68.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28500
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
CVE-2020-15168
Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.1.2.tgz
node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-2.0.0-beta.59.tgz
- web3-provider-engine-1.1.2.tgz
- eth-json-rpc-infura-3.2.1.tgz
- eth-json-rpc-middleware-1.6.0.tgz
- fetch-ponyfill-4.1.0.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- fetch-ponyfill-4.1.0.tgz
- eth-json-rpc-middleware-1.6.0.tgz
- eth-json-rpc-infura-3.2.1.tgz
- web3-provider-engine-1.1.2.tgz
- web3-2.0.0-beta.59.tgz
node-fetch-2.1.2.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- synthetix-js-2.66.2.tgz (Root Library)
- web3-provider-1.4.1.tgz
- web3-provider-engine-16.0.1.tgz
- cross-fetch-2.2.3.tgz
- ❌ node-fetch-2.1.2.tgz (Vulnerable Library)
- cross-fetch-2.2.3.tgz
- web3-provider-engine-16.0.1.tgz
- web3-provider-1.4.1.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9
⛑️Automatic Remediation will be attempted for this issue.