CVE-2024-41818 (High) detected in fast-xml-parser-4.2.5.tgz

[mend-bolt-for-github]

CVE-2024-41818 - High Severity Vulnerability

Vulnerable Library - fast-xml-parser-4.2.5.tgz

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• mongodb-4.17.2.tgz (Root Library)
  • credential-providers-3.444.0.tgz
    • client-sts-3.441.0.tgz
      • ❌ fast-xml-parser-4.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 6e8408d8e06b1da6360cb50965e4dec09ff975e4

Found in base branch: main

Vulnerability Details

fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.

Publish Date: 2024-07-29

URL: CVE-2024-41818

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-41818

Release Date: 2024-07-29

Fix Resolution (fast-xml-parser): 4.4.1

Direct dependency fix Resolution (mongodb): 5.0.0

---

Step up your Open Source Security Game with Mend here