webpack-dev-server-3.9.0.tgz: 24 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - webpack-dev-server-3.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (webpack-dev-server version)	Remediation Possible**
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	3.10.0	✅
CVE-2022-0691	Critical	9.8	url-parse-1.4.7.tgz	Transitive	3.10.0	✅
CVE-2024-29415	Critical	9.1	ip-1.1.5.tgz	Transitive	N/A*	❌
CVE-2022-0686	Critical	9.1	url-parse-1.4.7.tgz	Transitive	3.10.0	✅
CVE-2022-24999	High	7.5	qs-6.7.0.tgz	Transitive	3.10.0	✅
CVE-2022-24772	High	7.5	node-forge-0.9.0.tgz	Transitive	4.7.3	✅
CVE-2022-24771	High	7.5	node-forge-0.9.0.tgz	Transitive	4.7.3	✅
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	3.11.3	✅
CVE-2020-7662	High	7.5	websocket-extensions-0.1.3.tgz	Transitive	3.10.0	✅
CVE-2020-7720	High	7.3	node-forge-0.9.0.tgz	Transitive	3.10.0	✅
WS-2022-0008	Medium	6.6	node-forge-0.9.0.tgz	Transitive	4.7.3	✅
CVE-2024-28849	Medium	6.5	follow-redirects-1.9.0.tgz	Transitive	N/A*	❌
CVE-2022-0155	Medium	6.5	follow-redirects-1.9.0.tgz	Transitive	3.10.0	✅
CVE-2021-23386	Medium	6.5	dns-packet-1.3.1.tgz	Transitive	3.10.0	✅
CVE-2023-26159	Medium	6.1	follow-redirects-1.9.0.tgz	Transitive	3.10.0	✅
CVE-2022-0122	Medium	6.1	node-forge-0.9.0.tgz	Transitive	4.7.3	✅
CVE-2022-0536	Medium	5.9	follow-redirects-1.9.0.tgz	Transitive	3.10.0	✅
CVE-2022-24773	Medium	5.3	node-forge-0.9.0.tgz	Transitive	4.7.3	✅
CVE-2022-0639	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.10.0	✅
CVE-2022-0512	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.10.0	✅
CVE-2021-3664	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.10.0	✅
CVE-2021-32640	Medium	5.3	ws-6.2.1.tgz	Transitive	3.10.0	✅
CVE-2021-27515	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.10.0	✅
CVE-2020-7693	Medium	5.3	sockjs-0.3.19.tgz	Transitive	3.11.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0691

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-29415

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2022-0686

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24999

Vulnerable Library - qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • express-4.17.1.tgz
    • ❌ qs-6.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.7.3

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24772

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • selfsigned-1.10.7.tgz
    • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24771

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • selfsigned-1.10.7.tgz
    • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23424

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution (ansi-html): 0.0.8

Direct dependency fix Resolution (webpack-dev-server): 3.11.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7662

Vulnerable Library - websocket-extensions-0.1.3.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-0.3.19.tgz
    • faye-websocket-0.10.0.tgz
      • websocket-driver-0.7.0.tgz
        • ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution (websocket-extensions): 0.1.4

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7720

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • selfsigned-1.10.7.tgz
    • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0008

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • selfsigned-1.10.7.tgz
    • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-28849

Vulnerable Library - follow-redirects-1.9.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.0.tgz
      • ❌ follow-redirects-1.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-14

URL: CVE-2024-28849

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cxjh-pqwp-8mfp

Release Date: 2024-03-14

Fix Resolution: follow-redirects - 1.15.6

CVE-2022-0155

Vulnerable Library - follow-redirects-1.9.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.0.tgz
      • ❌ follow-redirects-1.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23386

Vulnerable Library - dns-packet-1.3.1.tgz

An abstract-encoding compliant module for encoding / decoding DNS packets

Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • bonjour-3.5.0.tgz
    • multicast-dns-6.2.3.tgz
      • ❌ dns-packet-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Publish Date: 2021-05-20

URL: CVE-2021-23386

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386

Release Date: 2021-05-20

Fix Resolution (dns-packet): 1.3.2

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26159

Vulnerable Library - follow-redirects-1.9.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.0.tgz
      • ❌ follow-redirects-1.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution (follow-redirects): 1.15.4

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0122

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • selfsigned-1.10.7.tgz
    • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0536

Vulnerable Library - follow-redirects-1.9.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.0.tgz
      • ❌ follow-redirects-1.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24773

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • selfsigned-1.10.7.tgz
    • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0639

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution (url-parse): 1.5.7

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0512

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3664

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

url-parse is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2021-07-26

URL: CVE-2021-3664

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664

Release Date: 2021-07-26

Fix Resolution (url-parse): 1.5.2

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-32640

Vulnerable Library - ws-6.2.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • ❌ ws-6.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 6.2.2

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-27515

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Publish Date: 2021-02-22

URL: CVE-2021-27515

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515

Release Date: 2021-02-22

Fix Resolution (url-parse): 1.5.0

Direct dependency fix Resolution (webpack-dev-server): 3.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7693

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• webpack-dev-server-3.9.0.tgz (Root Library)
  • ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 79acd56f0f99bd4d378e24c33f3f4831cc1e5314

Found in base branch: master

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-14

Fix Resolution (sockjs): 0.3.20

Direct dependency fix Resolution (webpack-dev-server): 3.11.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.