larvitreqparser-0.5.76.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed #16
Description
Vulnerable Library - larvitreqparser-0.5.76.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (larvitreqparser version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-39249 |  Medium |
6.5 | async-3.2.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-39249
Vulnerable Library - async-3.2.5.tgz
Library home page: https://registry.npmjs.org/async/-/async-3.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
- larvitreqparser-0.5.76.tgz (Root Library)
- ❌ async-3.2.5.tgz (Vulnerable Library)
Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f
Found in base branch: master
Vulnerability Details
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.
Publish Date: 2024-07-01
URL: CVE-2024-39249
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-39249
Release Date: 2024-07-01
Fix Resolution: async - 3.0.1