Vulnerable Library - markdown-preview-https://www.atom.io/api/packages/markdown-preview/versions/0.160.2/tarball.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
GHSA-35jh-r3h4-6jhm
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2025-04-23
URL: GHSA-35jh-r3h4-6jhm
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2025-04-23
Fix Resolution: lodash - 4.17.21,lodash-es - 4.17.21
CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /packages/dev-live-reload/package.json
Path to vulnerable library: /packages/dev-live-reload/node_modules/inherits/package.json,/package.json,/packages/exception-reporting/node_modules/inherits/package.json,/apm/package.json,/packages/deprecation-cop/node_modules/inherits/package.json,/packages/git-diff/node_modules/inherits/package.json,/script/update-server/package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-289561-266276
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2022-21681
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression "inline.reflinkSearch" may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
CVE-2022-21680
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression "block.def" may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rp65-9cf3-cjxr
Release Date: 2021-09-17
Fix Resolution: nth-check - 2.0.1
CVE-2020-8203
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Mend Note:
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: 2020-07-15
Fix Resolution: lodash - 4.17.19,lodash-es - 4.17.20
CVE-2021-23337
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Mend Note:
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21,lodash-es - 4.17.21
WS-2023-0010
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace.
Publish Date: 2024-10-29
URL: WS-2023-0010
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pgjv-jrg2-gq3v
Release Date: 2024-11-03
Fix Resolution: dompurify - 2.2.2
WS-2023-0007
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines.
Publish Date: 2024-10-29
URL: WS-2023-0007
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h6p3-p4vx-wr8q
Release Date: 2024-11-03
Fix Resolution: dompurify - 2.2.3
CVE-2020-26870
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Mend Note:
Publish Date: 2020-10-07
URL: CVE-2020-26870
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-63q7-h895-m982
Release Date: 2020-10-07
Fix Resolution: dompurify - 2.0.17
CVE-2019-16728
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
Mend Note:
Publish Date: 2019-09-24
URL: CVE-2019-16728
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-chqj-j4fh-rw7m
Release Date: 2019-09-24
Fix Resolution: dompurify - 2.0.3
WS-2020-0163
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
WS-2019-0209
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-07-04
URL: WS-2019-0209
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-07-04
Fix Resolution: 0.7.0
GHSA-mjjq-c88q-qhr6
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Versions of "dompurify" prior to 2.0.7 are vulnerable to Cross-Site Scripting (XSS). It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 2.0.7 or later.
Publish Date: 2025-07-14
URL: GHSA-mjjq-c88q-qhr6
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mjjq-c88q-qhr6
Release Date: 2025-06-11
Fix Resolution: dompurify - 2.0.7
GHSA-ch52-vgq2-943f
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Affected versions of "marked" are vulnerable to Regular Expression Denial of Service (ReDoS). The "_label" subrule may significantly degrade parsing performance of malformed input. Recommendation Upgrade to version 0.7.0 or later.
Publish Date: 2025-07-14
URL: GHSA-ch52-vgq2-943f
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ch52-vgq2-943f
Release Date: 2025-06-11
Fix Resolution: marked - 0.7.0
CVE-2020-28500
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Mend Note:
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21,lodash-es - 4.17.21
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2025-04-23
URL: GHSA-35jh-r3h4-6jhm
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2025-04-23
Fix Resolution: lodash - 4.17.21,lodash-es - 4.17.21
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /packages/dev-live-reload/package.json
Path to vulnerable library: /packages/dev-live-reload/node_modules/inherits/package.json,/package.json,/packages/exception-reporting/node_modules/inherits/package.json,/apm/package.json,/packages/deprecation-cop/node_modules/inherits/package.json,/packages/git-diff/node_modules/inherits/package.json,/script/update-server/package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-289561-266276
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression "inline.reflinkSearch" may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression "block.def" may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rp65-9cf3-cjxr
Release Date: 2021-09-17
Fix Resolution: nth-check - 2.0.1
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Mend Note:
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: 2020-07-15
Fix Resolution: lodash - 4.17.19,lodash-es - 4.17.20
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Mend Note:
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21,lodash-es - 4.17.21
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace.
Publish Date: 2024-10-29
URL: WS-2023-0010
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pgjv-jrg2-gq3v
Release Date: 2024-11-03
Fix Resolution: dompurify - 2.2.2
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines.
Publish Date: 2024-10-29
URL: WS-2023-0007
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h6p3-p4vx-wr8q
Release Date: 2024-11-03
Fix Resolution: dompurify - 2.2.3
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Mend Note:
Publish Date: 2020-10-07
URL: CVE-2020-26870
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-63q7-h895-m982
Release Date: 2020-10-07
Fix Resolution: dompurify - 2.0.17
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
Mend Note:
Publish Date: 2019-09-24
URL: CVE-2019-16728
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-chqj-j4fh-rw7m
Release Date: 2019-09-24
Fix Resolution: dompurify - 2.0.3
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-07-04
URL: WS-2019-0209
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-07-04
Fix Resolution: 0.7.0
Vulnerable Library - dompurify-1.0.11.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Versions of "dompurify" prior to 2.0.7 are vulnerable to Cross-Site Scripting (XSS). It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 2.0.7 or later.
Publish Date: 2025-07-14
URL: GHSA-mjjq-c88q-qhr6
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mjjq-c88q-qhr6
Release Date: 2025-06-11
Fix Resolution: dompurify - 2.0.7
Vulnerable Library - marked-0.6.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/script/package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Affected versions of "marked" are vulnerable to Regular Expression Denial of Service (ReDoS). The "_label" subrule may significantly degrade parsing performance of malformed input. Recommendation Upgrade to version 0.7.0 or later.
Publish Date: 2025-07-14
URL: GHSA-ch52-vgq2-943f
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-ch52-vgq2-943f
Release Date: 2025-06-11
Fix Resolution: marked - 0.7.0
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: electron-upgrade
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Mend Note:
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21,lodash-es - 4.17.21