Security Vulnerabilities Detected via Snyk in @gorules/[email protected] Overview #203
Description
While scanning our project with Snyk, we identified two transitive vulnerabilities introduced via the dependency @gorules/[email protected]. These issues originate from deeply nested dependencies and currently have no available fix in the affected versions.
🔒 Vulnerability 1: Missing Release of Resource after Effective Lifetime
Package: [email protected]
CWE: CWE-772
Severity: Medium (CVSS 6.2)
Snyk ID: SNYK-JS-INFLIGHT-6095116
Exploit Maturity: Proof of Concept
Fix: ❌ No fix available — inflight is unmaintained.
Description:
The inflight package fails to release resources properly after their effective lifetime. This can lead to memory/resource exhaustion, resulting in potential application crashes.
Dependency Path Example:
@gorules/[email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
🐢 Vulnerability 2: Regular Expression Denial of Service (ReDoS)
Package: [email protected]
CWE: CWE-1333
CVE: CVE-2025-5889
Severity: Low (CVSS 2.3)
Fix available in: [email protected] or later
Description:
The expand() function in brace-expansion is vulnerable to catastrophic backtracking on long input strings, allowing a potential denial of service.
Dependency Path Example:
@gorules/[email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
└─ [email protected]
📌 Recommendation
Please consider updating or replacing the dependency chain to eliminate the use of deprecated/unmaintained packages like inflight.
Updating exceljs (or related dependencies) to versions that no longer rely on inflight or older versions of brace-expansion may help mitigate the vulnerabilities.
Alternatively, guidance on how best to override or patch these transitive issues from the maintainers would be appreciated.