react-scripts-4.0.3.tgz: 43 vulnerabilities (highest severity is: 9.8) #20
Description
Vulnerable Library - react-scripts-4.0.3.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ejs/package.json
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (react-scripts version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2021-0153 |  Critical |
9.8 | ejs-2.7.4.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-37601 | Critical |
9.8 | loader-utils-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-29078 | Critical |
9.8 | ejs-2.7.4.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-42740 | Critical |
9.8 | shell-quote-1.7.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3757 | Critical |
9.8 | immer-8.0.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-29415 | Critical |
9.1 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2024-33883 |  High |
8.8 | ejs-2.7.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-12816 | High |
8.6 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-66031 | High |
7.5 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-15284 | High |
7.5 | detected in multiple dependencies | Transitive | 5.0.0 | ❌ |
| CVE-2024-4068 | High |
7.5 | braces-2.3.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21538 | High |
7.5 | cross-spawn-7.0.3.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21536 | High |
7.5 | http-proxy-middleware-0.19.1.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37603 | High |
7.5 | loader-utils-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-37599 | High |
7.5 | loader-utils-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24772 | High |
7.5 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24771 | High |
7.5 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3803 | High |
7.5 | nth-check-1.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23424 | High |
7.5 | ansi-html-0.0.7.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2024-29180 | High |
7.4 | webpack-dev-middleware-3.7.3.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-23337 | High |
7.2 | lodash.template-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-23745 | High |
7.1 | tar-6.2.1.tgz | Transitive | N/A* | ❌ |
| WS-2022-0008 |  Medium |
6.6 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-30360 | Medium |
6.5 | webpack-dev-server-3.11.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-43788 | Medium |
6.4 | webpack-4.44.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2024-47068 | Medium |
6.1 | rollup-1.32.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-0122 | Medium |
6.1 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-14505 | Medium |
5.6 | elliptic-6.6.1.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23436 | Medium |
5.6 | immer-8.0.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-11831 | Medium |
5.4 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-66030 | Medium |
5.3 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-30359 | Medium |
5.3 | webpack-dev-server-3.11.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-4067 | Medium |
5.3 | micromatch-3.1.10.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2023-44270 | Medium |
5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-25883 | Medium |
5.3 | semver-7.3.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24773 | Medium |
5.3 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-23364 | Medium |
5.3 | browserslist-4.14.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2020-28469 | Medium |
5.3 | glob-parent-3.1.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-32997 | Medium |
4.0 | http-proxy-middleware-0.19.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-32996 | Medium |
4.0 | http-proxy-middleware-0.19.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-59437 |  Low |
3.2 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59436 | Low |
3.2 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
WS-2021-0153
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- workbox-webpack-plugin-5.1.4.tgz
- workbox-build-5.1.4.tgz
- rollup-plugin-off-main-thread-1.4.2.tgz
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-1.4.2.tgz
- workbox-build-5.1.4.tgz
- workbox-webpack-plugin-5.1.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/react-dev-utils/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ loader-utils-2.0.0.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 2.0.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-29078
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- workbox-webpack-plugin-5.1.4.tgz
- workbox-build-5.1.4.tgz
- rollup-plugin-off-main-thread-1.4.2.tgz
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-1.4.2.tgz
- workbox-build-5.1.4.tgz
- workbox-webpack-plugin-5.1.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-42740
Vulnerable Library - shell-quote-1.7.2.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/shell-quote/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ shell-quote-1.7.2.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3757
Vulnerable Library - immer-8.0.1.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/immer/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ immer-8.0.1.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c36v-fmgq-m8hx
Release Date: 2021-09-02
Fix Resolution: immer - 9.0.6,immer - 9.0.6
Step up your Open Source Security Game with Mend here
CVE-2024-29415
Vulnerable Library - ip-1.1.9.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ip/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- ❌ ip-1.1.9.tgz (Vulnerable Library)
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.
Publish Date: 2024-05-27
URL: CVE-2024-29415
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2024-33883
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- workbox-webpack-plugin-5.1.4.tgz
- workbox-build-5.1.4.tgz
- rollup-plugin-off-main-thread-1.4.2.tgz
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-1.4.2.tgz
- workbox-build-5.1.4.tgz
- workbox-webpack-plugin-5.1.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: 2024-04-28
URL: CVE-2024-33883
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: 2024-04-28
Fix Resolution: ejs - 3.1.10
Step up your Open Source Security Game with Mend here
CVE-2025-12816
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- selfsigned-1.10.14.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.14.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-66031
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- selfsigned-1.10.14.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.14.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-15284
Vulnerable Libraries - qs-6.14.0.tgz, qs-6.13.0.tgz
qs-6.14.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.14.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/qs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- url-0.11.4.tgz
- ❌ qs-6.14.0.tgz (Vulnerable Library)
- url-0.11.4.tgz
- webpack-dev-server-3.11.1.tgz
qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /backend/package.json
Path to vulnerable library: /backend/node_modules/qs/package.json,/frontend/node_modules/express/node_modules/qs/package.json,/frontend/node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- express-4.21.2.tgz
- ❌ qs-6.13.0.tgz (Vulnerable Library)
- express-4.21.2.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:
- arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
- Use bracket notation: a[]=value (not indexed a[0]=value)
ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
Attack scenario: - Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
- Application parses with qs.parse(query, { arrayLimit: 100 })
- qs ignores limit, parses all 100,000 elements into array
- Server memory exhausted → application crashes or becomes unresponsive
- Service unavailable for all users
Real-world impact: - Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation
Publish Date: 2025-12-29
URL: CVE-2025-15284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: 2025-12-29
Fix Resolution (qs): 6.14.1
Direct dependency fix Resolution (react-scripts): 5.0.0
Fix Resolution (qs): 6.14.1
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Vulnerable Library - braces-2.3.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/fork-ts-checker-webpack-plugin/node_modules/braces/package.json,/frontend/node_modules/http-proxy-middleware/node_modules/braces/package.json,/frontend/node_modules/watchpack-chokidar2/node_modules/braces/package.json,/frontend/node_modules/webpack/node_modules/braces/package.json,/frontend/node_modules/sane/node_modules/braces/package.json,/frontend/node_modules/webpack-dev-server/node_modules/braces/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- fork-ts-checker-webpack-plugin-4.1.6.tgz
- micromatch-3.1.10.tgz
- ❌ braces-2.3.2.tgz (Vulnerable Library)
- micromatch-3.1.10.tgz
- fork-ts-checker-webpack-plugin-4.1.6.tgz
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2024-21538
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/react-dev-utils/node_modules/cross-spawn/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ cross-spawn-7.0.3.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: org.webjars.npm:cross-spawn:6.0.6,org.webjars.npm:cross-spawn:7.0.5,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5
Step up your Open Source Security Game with Mend here
CVE-2024-21536
Vulnerable Library - http-proxy-middleware-0.19.1.tgz
The one-liner node.js proxy middleware for connect, express and browser-sync
Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.19.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/http-proxy-middleware/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- ❌ http-proxy-middleware-0.19.1.tgz (Vulnerable Library)
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Publish Date: 2024-10-19
URL: CVE-2024-21536
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c7qv-q95q-8v27
Release Date: 2024-10-19
Fix Resolution: http-proxy-middleware - 3.0.3,http-proxy-middleware - 2.0.7
Step up your Open Source Security Game with Mend here
CVE-2022-37603
Vulnerable Library - loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/react-dev-utils/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ loader-utils-2.0.0.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-37599
Vulnerable Library - loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/react-dev-utils/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ loader-utils-2.0.0.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: 2022-10-11
Fix Resolution (loader-utils): 2.0.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/recursive-readdir/node_modules/minimatch/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- recursive-readdir-2.2.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- recursive-readdir-2.2.2.tgz
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2022-24772
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- selfsigned-1.10.14.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.14.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a "DigestInfo" ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in "node-forge" version 1.3.0. There are currently no known workarounds.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24771
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- selfsigned-1.10.14.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.14.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in "node-forge" version 1.3.0. There are currently no known workarounds.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/svgo/node_modules/nth-check/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-5.5.0.tgz
- plugin-svgo-5.5.0.tgz
- svgo-1.3.2.tgz
- css-select-2.1.0.tgz
- ❌ nth-check-1.0.2.tgz (Vulnerable Library)
- css-select-2.1.0.tgz
- svgo-1.3.2.tgz
- plugin-svgo-5.5.0.tgz
- webpack-5.5.0.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-rp65-9cf3-cjxr
Release Date: 2021-09-17
Fix Resolution: nth-check - 2.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-23424
Vulnerable Library - ansi-html-0.0.7.tgz
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ansi-html/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-refresh-webpack-plugin-0.4.3.tgz
- ❌ ansi-html-0.0.7.tgz (Vulnerable Library)
- react-refresh-webpack-plugin-0.4.3.tgz
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here