Description
Running npm audit --omit=dev against Kutt 3.2.3 reports several vulnerabilities in production dependencies.
Some of the notable findings include:
hbs@4.2.0 depends on a vulnerable handlebars versionexpress@4.21.2 has advisories through transitive dependencies such as path-to-regexp, qs, and body-parseruseragent@2.3.0 has a known ReDoS advisory and appears to have no available npm fixnodemailer@6.9.16 has advisories, although impact depends on whether mail support is enabledvalidator is pulled in transitively with advisories
Why this matters
Kutt is commonly self-hosted as a public-facing URL shortener. Even if some advisories are not directly exploitable in the current application flow, keeping vulnerable production dependencies makes it harder for administrators to assess and operate Kutt safely.
The hbs / handlebars findings are especially concerning because Kutt supports custom Handlebars templates through the custom/views feature.
Reproduction
On Kutt 3.2.3:
The audit reports multiple production dependency vulnerabilities, including high and critical severities.
Expected behavior
Kutt should update vulnerable production dependencies where possible, for example:
Update hbs to a version that depends on a patched handlebars
Update express to a patched 4.x version if compatible
Evaluate replacing useragent with a maintained alternative such as ua-parser-js
Update mail-related dependencies where possible
Refresh the lockfile accordingly
Additional context
I understand that npm audit can report issues that are not always directly exploitable. Still, reducing known vulnerable dependencies would make Kutt easier and safer to operate in production.
Description
Running
npm audit --omit=devagainst Kutt3.2.3reports several vulnerabilities in production dependencies.Some of the notable findings include:
hbs@4.2.0depends on a vulnerablehandlebarsversionexpress@4.21.2has advisories through transitive dependencies such aspath-to-regexp,qs, andbody-parseruseragent@2.3.0has a known ReDoS advisory and appears to have no available npm fixnodemailer@6.9.16has advisories, although impact depends on whether mail support is enabledvalidatoris pulled in transitively with advisoriesWhy this matters
Kutt is commonly self-hosted as a public-facing URL shortener. Even if some advisories are not directly exploitable in the current application flow, keeping vulnerable production dependencies makes it harder for administrators to assess and operate Kutt safely.
The
hbs/handlebarsfindings are especially concerning because Kutt supports custom Handlebars templates through thecustom/viewsfeature.Reproduction
On Kutt
3.2.3:The audit reports multiple production dependency vulnerabilities, including high and critical severities.
Expected behavior
Kutt should update vulnerable production dependencies where possible, for example:
Update hbs to a version that depends on a patched handlebars
Update express to a patched 4.x version if compatible
Evaluate replacing useragent with a maintained alternative such as ua-parser-js
Update mail-related dependencies where possible
Refresh the lockfile accordingly
Additional context
I understand that npm audit can report issues that are not always directly exploitable. Still, reducing known vulnerable dependencies would make Kutt easier and safer to operate in production.