@kleros/vea-relayer-cli-0.0.0.tgz: 3 vulnerabilities (highest severity is: 7.5) #195
Description
Vulnerable Library - @kleros/vea-relayer-cli-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@kleros/vea-relayer-cli version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-64756 |  High |
7.5 | glob-10.4.5.tgz | Transitive | N/A* | ❌ |
| CVE-2025-64718 |  Medium |
5.3 | js-yaml-4.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-5891 | Medium |
4.3 | pm2-6.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-64756
Vulnerable Library - glob-10.4.5.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- ❌ glob-10.4.5.tgz (Vulnerable Library)
- cacache-19.0.1.tgz
- make-fetch-happen-14.0.3.tgz
- node-gyp-11.2.0.tgz
- fsevents-2.3.3.tgz
- chokidar-3.6.0.tgz
- pm2-6.0.5.tgz
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Publish Date: 2025-11-17
URL: CVE-2025-64756
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: glob - 11.0.3
Step up your Open Source Security Game with Mend here
CVE-2025-64718
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- ❌ js-yaml-4.1.0.tgz (Vulnerable Library)
- pm2-6.0.5.tgz
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
Step up your Open Source Security Game with Mend here
CVE-2025-5891
Vulnerable Library - pm2-6.0.5.tgz
Production process manager for Node.JS applications with a built-in load balancer.
Library home page: https://registry.npmjs.org/pm2/-/pm2-6.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- ❌ pm2-6.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Publish Date: 2025-06-09
URL: CVE-2025-5891
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here