Skip to content

eslint-7.32.0.tgz: 3 vulnerabilities (highest severity is: 5.5) #35

New issue
New issue
Open
Open
eslint-7.32.0.tgz: 3 vulnerabilities (highest severity is: 5.5)#35
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Dec 7, 2023
Vulnerable Library - eslint-7.32.0.tgz

An AST-based pattern checker for JavaScript.

Library home page: https://registry.npmjs.org/eslint/-/eslint-7.32.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (eslint version) Remediation Possible**
CVE-2025-50537 Medium 5.5 eslint-7.32.0.tgz Direct 9.26.0
CVE-2025-64718 Medium 5.3 js-yaml-3.14.1.tgz Transitive N/A*
CVE-2023-26115 Medium 5.3 word-wrap-1.2.3.tgz Transitive 8.0.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-50537

Vulnerable Library - eslint-7.32.0.tgz

An AST-based pattern checker for JavaScript.

Library home page: https://registry.npmjs.org/eslint/-/eslint-7.32.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • eslint-7.32.0.tgz (Vulnerable Library)

Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797

Found in base branch: main

Vulnerability Details

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.

Publish Date: 2026-01-26

URL: CVE-2025-50537

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-26

Fix Resolution: 9.26.0

Step up your Open Source Security Game with Mend here

CVE-2025-64718

Vulnerable Library - js-yaml-3.14.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • eslint-7.32.0.tgz (Root Library)
    • js-yaml-3.14.1.tgz (Vulnerable Library)

Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797

Found in base branch: main

Vulnerability Details

js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).

Publish Date: 2025-11-13

URL: CVE-2025-64718

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mh29-5h37-fv8m

Release Date: 2025-11-13

Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2

Step up your Open Source Security Game with Mend here

CVE-2023-26115

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • eslint-7.32.0.tgz (Root Library)
    • optionator-0.9.1.tgz
      • word-wrap-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797

Found in base branch: main

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution (word-wrap): 1.2.4

Direct dependency fix Resolution (eslint): 8.0.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions