webpack-4.17.1.tgz: 11 vulnerabilities (highest severity is: 9.8) reachable #1
Description
Vulnerable Library - webpack-4.17.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (webpack version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|
| CVE-2020-7660 |  High |
8.1 | serialize-javascript-1.5.0.tgz | Transitive | 4.26.0 | ✅ |
|
| WS-2020-0042 | High |
7.5 | acorn-5.7.1.tgz | Transitive | 4.17.2 | ✅ |
|
| CVE-2021-27290 | High |
7.5 | ssri-5.3.0.tgz | Transitive | 4.26.0 | ✅ |
|
| CVE-2019-20149 | High |
7.5 | kind-of-6.0.2.tgz | Transitive | 4.17.2 | ✅ |
|
| CVE-2019-16769 |  Medium |
4.2 | serialize-javascript-1.5.0.tgz | Transitive | 4.26.0 | ✅ |
|
| CVE-2022-37601 |  Critical |
9.8 | loader-utils-1.1.0.tgz | Transitive | 4.17.2 | ✅ |
|
| CVE-2020-13822 | High |
7.7 | elliptic-6.4.1.tgz | Transitive | 4.17.2 | ✅ |
|
| CVE-2024-4068 | High |
7.5 | braces-2.3.2.tgz | Transitive | N/A* | ❌ |
|
| CVE-2022-37603 | High |
7.5 | loader-utils-1.1.0.tgz | Transitive | 4.17.2 | ✅ |
|
| WS-2019-0424 | Medium |
5.9 | elliptic-6.4.1.tgz | Transitive | 4.17.2 | ✅ |
|
| WS-2019-0427 | Medium |
5.0 | elliptic-6.4.1.tgz | Transitive | 4.17.2 | ✅ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-7660
Vulnerable Library - serialize-javascript-1.5.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- uglifyjs-webpack-plugin-1.3.0.tgz
- ❌ serialize-javascript-1.5.0.tgz (Vulnerable Library)
- uglifyjs-webpack-plugin-1.3.0.tgz
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
cezerin-0.33.0/webpack.config.admin.js (Application)
-> webpack-4.17.1/lib/webpack.js (Extension)
-> webpack-4.17.1/lib/WebpackOptionsDefaulter.js (Extension)
-> uglifyjs-webpack-plugin-1.3.0/dist/cjs.js (Extension)
-> uglifyjs-webpack-plugin-1.3.0/dist/index.js (Extension)
-> uglifyjs-webpack-plugin-1.3.0/dist/uglify/Runner.js (Extension)
-> ❌ serialize-javascript-1.5.0/index.js (Vulnerable Component)
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (webpack): 4.26.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2020-0042
Vulnerable Library - acorn-5.7.1.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/acorn/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- ❌ acorn-5.7.1.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
cezerin-0.33.0/webpack.config.admin.js (Application)
-> webpack-4.17.1/lib/webpack.js (Extension)
-> webpack-4.17.1/lib/optimize/ModuleConcatenationPlugin.js (Extension)
-> webpack-4.17.1/lib/optimize/ConcatenatedModule.js (Extension)
-> webpack-4.17.1/lib/Parser.js (Extension)
-> acorn-dynamic-import-3.0.0/lib/index.js (Extension)
-> ❌ acorn-5.7.1/dist/acorn.js (Vulnerable Component)
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-27290
Vulnerable Library - ssri-5.3.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- uglifyjs-webpack-plugin-1.3.0.tgz
- cacache-10.0.4.tgz
- ❌ ssri-5.3.0.tgz (Vulnerable Library)
- cacache-10.0.4.tgz
- uglifyjs-webpack-plugin-1.3.0.tgz
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
cezerin-0.33.0/webpack.config.admin.js (Application)
-> webpack-4.17.1/lib/webpack.js (Extension)
-> webpack-4.17.1/lib/WebpackOptionsDefaulter.js (Extension)
-> cacache-10.0.4/index.js (Extension)
...
-> cacache-10.0.4/verify.js (Extension)
-> cacache-10.0.4/lib/verify.js (Extension)
-> ❌ ssri-5.3.0/index.js (Vulnerable Component)
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (webpack): 4.26.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-20149
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/base/node_modules/kind-of/package.json,/node_modules/watchpack/node_modules/kind-of/package.json,/node_modules/clone-deep/node_modules/kind-of/package.json,/node_modules/webpack/node_modules/kind-of/package.json,/node_modules/define-property/node_modules/kind-of/package.json,/node_modules/lint-staged/node_modules/kind-of/package.json,/node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/randomatic/node_modules/kind-of/package.json,/node_modules/nanomatch/node_modules/kind-of/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- micromatch-3.1.10.tgz
- ❌ kind-of-6.0.2.tgz (Vulnerable Library)
- micromatch-3.1.10.tgz
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
kind-of-6.0.2/index.js (Application)
-> is-descriptor-1.0.2/index.js (Extension)
-> define-property-2.0.2/index.js (Extension)
-> micromatch-3.1.10/lib/utils.js (Extension)
...
-> webpack-4.17.1/lib/optimize/SideEffectsFlagPlugin.js (Extension)
-> webpack-4.17.1/lib/webpack.js (Extension)
-> ❌ cezerin-0.33.0/webpack.config.admin.js (Vulnerable Component)
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-16769
Vulnerable Library - serialize-javascript-1.5.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- uglifyjs-webpack-plugin-1.3.0.tgz
- ❌ serialize-javascript-1.5.0.tgz (Vulnerable Library)
- uglifyjs-webpack-plugin-1.3.0.tgz
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
cezerin-0.33.0/webpack.config.admin.js (Application)
-> webpack-4.17.1/lib/webpack.js (Extension)
-> webpack-4.17.1/lib/WebpackOptionsDefaulter.js (Extension)
-> uglifyjs-webpack-plugin-1.3.0/dist/cjs.js (Extension)
-> uglifyjs-webpack-plugin-1.3.0/dist/index.js (Extension)
-> uglifyjs-webpack-plugin-1.3.0/dist/uglify/Runner.js (Extension)
-> ❌ serialize-javascript-1.5.0/index.js (Vulnerable Component)
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution (serialize-javascript): 2.1.1
Direct dependency fix Resolution (webpack): 4.26.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-37601
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- ❌ loader-utils-1.1.0.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-13822
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- node-libs-browser-2.1.0.tgz
- crypto-browserify-3.12.0.tgz
- create-ecdh-4.0.3.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- create-ecdh-4.0.3.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.1.0.tgz
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-4068
Vulnerable Library - braces-2.3.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack/node_modules/braces/package.json,/node_modules/lint-staged/node_modules/braces/package.json,/node_modules/watchpack/node_modules/braces/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- micromatch-3.1.10.tgz
- ❌ braces-2.3.2.tgz (Vulnerable Library)
- micromatch-3.1.10.tgz
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
CVE-2022-37603
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- ❌ loader-utils-1.1.0.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0424
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- node-libs-browser-2.1.0.tgz
- crypto-browserify-3.12.0.tgz
- create-ecdh-4.0.3.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- create-ecdh-4.0.3.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.1.0.tgz
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0427
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- webpack-4.17.1.tgz (Root Library)
- node-libs-browser-2.1.0.tgz
- crypto-browserify-3.12.0.tgz
- create-ecdh-4.0.3.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- create-ecdh-4.0.3.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.1.0.tgz
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2
Publish Date: 2019-11-22
URL: WS-2019-0427
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
Suggested Fix
Type: Upgrade version
Release Date: 2019-11-22
Fix Resolution (elliptic): 6.5.2
Direct dependency fix Resolution (webpack): 4.17.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.