next-pwa-5.4.4.tgz: 12 vulnerabilities (highest severity is: 9.8) #29
Description
Vulnerable Library - next-pwa-5.4.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (next-pwa version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-37601 |  Critical |
9.8 | loader-utils-1.4.0.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2022-29078 | Critical |
9.8 | ejs-3.1.6.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2023-45133 | Critical |
9.3 | traverse-7.17.3.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2024-33883 |  High |
8.8 | ejs-3.1.6.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37603 | High |
7.5 | loader-utils-1.4.0.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2022-37599 | High |
7.5 | loader-utils-1.4.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-46175 | High |
7.1 | json5-2.2.0.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2025-27789 |  Medium |
6.2 | helpers-7.17.2.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2024-47068 | Medium |
6.1 | rollup-2.68.0.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2024-11831 | Medium |
5.4 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-25883 | Medium |
5.3 | semver-7.0.0.tgz | Transitive | 5.4.5 | ❌ |
| CVE-2022-25858 | Medium |
5.3 | terser-5.11.0.tgz | Transitive | 5.4.5 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- babel-loader-8.2.3.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.2.3.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2022-29078
Vulnerable Library - ejs-3.1.6.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ❌ ejs-3.1.6.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2023-45133
Vulnerable Library - traverse-7.17.3.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.17.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- core-7.17.5.tgz
- ❌ traverse-7.17.3.tgz (Vulnerable Library)
- core-7.17.5.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Babel is a compiler for writingJavaScript. In "@babel/traverse" prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of "babel-traverse", using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the "path.evaluate()"or "path.evaluateTruthy()" internal Babel methods. Known affected plugins are "@babel/plugin-transform-runtime"; "@babel/preset-env" when using its "useBuiltIns" option; and any "polyfill provider" plugin that depends on "@babel/helper-define-polyfill-provider", such as "babel-plugin-polyfill-corejs3", "babel-plugin-polyfill-corejs2", "babel-plugin-polyfill-es-shims", "babel-plugin-polyfill-regenerator". No other plugins under the "@babel/" namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in "@babel/traverse@7.23.2" and "@babel/traverse@8.0.0-alpha.4". Those who cannot upgrade "@babel/traverse" and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected "@babel/traverse" versions: "@babel/plugin-transform-runtime" v7.23.2, "@babel/preset-env" v7.23.2, "@babel/helper-define-polyfill-provider" v0.4.3, "babel-plugin-polyfill-corejs2" v0.4.6, "babel-plugin-polyfill-corejs3" v0.8.5, "babel-plugin-polyfill-es-shims" v0.10.0, "babel-plugin-polyfill-regenerator" v0.5.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2024-33883
Vulnerable Library - ejs-3.1.6.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ❌ ejs-3.1.6.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: 2024-04-28
URL: CVE-2024-33883
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: 2024-04-28
Fix Resolution: ejs - 3.1.10
Step up your Open Source Security Game with Mend here
CVE-2022-37603
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- babel-loader-8.2.3.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.2.3.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2022-37599
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- babel-loader-8.2.3.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.2.3.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: 2022-10-11
Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-46175
Vulnerable Library - json5-2.2.0.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- core-7.17.5.tgz
- ❌ json5-2.2.0.tgz (Vulnerable Library)
- core-7.17.5.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The "parse" method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named "proto", allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by "JSON5.parse" and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from "JSON5.parse". The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. "JSON5.parse" should restrict parsing of "proto" keys when parsing JSON strings to objects. As a point of reference, the "JSON.parse" method included in JavaScript ignores "proto" keys. Simply changing "JSON5.parse" to "JSON.parse" in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2025-27789
Vulnerable Library - helpers-7.17.2.tgz
Collection of helper functions used by Babel transforms.
Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.17.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- core-7.17.5.tgz
- ❌ helpers-7.17.2.tgz (Vulnerable Library)
- core-7.17.5.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: 2025-03-11
URL: CVE-2025-27789
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: 2025-03-11
Fix Resolution (@babel/helpers): 7.26.10
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2024-47068
Vulnerable Library - rollup-2.68.0.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-2.68.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- ❌ rollup-2.68.0.tgz (Vulnerable Library)
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-09-23
URL: CVE-2024-47068
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gcx4-mw62-g8wm
Release Date: 2024-09-23
Fix Resolution (rollup): 2.79.2
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2024-11831
Vulnerable Libraries - serialize-javascript-6.0.0.tgz, serialize-javascript-4.0.0.tgz
serialize-javascript-6.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- terser-webpack-plugin-5.3.1.tgz
- ❌ serialize-javascript-6.0.0.tgz (Vulnerable Library)
- terser-webpack-plugin-5.3.1.tgz
serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- rollup-plugin-terser-7.0.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
- rollup-plugin-terser-7.0.2.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: 2025-02-10
URL: CVE-2024-11831
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: 2025-02-10
Fix Resolution: serialize-javascript - 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2022-25883
Vulnerable Library - semver-7.0.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- preset-env-7.16.11.tgz
- core-js-compat-3.21.1.tgz
- ❌ semver-7.0.0.tgz (Vulnerable Library)
- core-js-compat-3.21.1.tgz
- preset-env-7.16.11.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here
CVE-2022-25858
Vulnerable Library - terser-5.11.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.11.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- next-pwa-5.4.4.tgz (Root Library)
- terser-webpack-plugin-5.3.1.tgz
- ❌ terser-5.11.0.tgz (Vulnerable Library)
- terser-webpack-plugin-5.3.1.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.14.2
Direct dependency fix Resolution (next-pwa): 5.4.5
Step up your Open Source Security Game with Mend here