{ "auditReportVersion": 2, "vulnerabilities": { "@google-cloud/firestore": { "name": "@google-cloud/firestore", "severity": "moderate", "isDirect": false, "via": [ "google-gax" ], "effects": [ "firebase-admin" ], "range": "7.5.0-pre.0 || 7.6.0 - 7.11.6", "nodes": [ "node_modules/@google-cloud/firestore" ], "fixAvailable": { "name": "firebase-admin", "version": "13.10.0", "isSemVerMajor": true } }, "@google-cloud/storage": { "name": "@google-cloud/storage", "severity": "moderate", "isDirect": false, "via": [ "retry-request", "teeny-request", "uuid" ], "effects": [ "firebase-admin" ], "range": "2.2.0 - 2.5.0 || >=5.19.0", "nodes": [ "node_modules/@google-cloud/storage" ], "fixAvailable": { "name": "firebase-admin", "version": "13.10.0", "isSemVerMajor": true } }, "@tootallnate/once": { "name": "@tootallnate/once", "severity": "low", "isDirect": false, "via": [ { "source": 1119438, "name": "@tootallnate/once", "dependency": "@tootallnate/once", "title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping", "url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6", "severity": "low", "cwe": [ "CWE-705" ], "cvss": { "score": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.1" } ], "effects": [], "range": "<2.0.1", "nodes": [ "node_modules/@tootallnate/once" ], "fixAvailable": true }, "axios": { "name": "axios", "severity": "high", "isDirect": false, "via": [ { "source": 1119667, "name": "axios", "dependency": "axios", "title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)", "url": "https://github.com/advisories/GHSA-pjwm-pj3p-43mv", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, "range": ">=1.0.0 <1.16.0" }, { "source": 1119669, "name": "axios", "dependency": "axios", "title": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions", "url": "https://github.com/advisories/GHSA-898c-q2cr-xwhg", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": ">=1.0.0 <1.16.0" }, { "source": 1119670, "name": "axios", "dependency": "axios", "title": "Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix", "url": "https://github.com/advisories/GHSA-654m-c8p4-x5fp", "severity": "low", "cwe": [ "CWE-113", "CWE-1321" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "=1.15.2" }, { "source": 1119675, "name": "axios", "dependency": "axios", "title": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`", "url": "https://github.com/advisories/GHSA-35jp-ww65-95wh", "severity": "high", "cwe": [ "CWE-441", "CWE-1321" ], "cvss": { "score": 8.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, "range": ">=1.0.0 <1.16.0" }, { "source": 1120073, "name": "axios", "dependency": "axios", "title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection", "url": "https://github.com/advisories/GHSA-hfxv-24rg-xrqf", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.16.0" }, { "source": 1120074, "name": "axios", "dependency": "axios", "title": "Allocation of Resources Without Limits or Throttling in Axios", "url": "https://github.com/advisories/GHSA-777c-7fjr-54vf", "severity": "high", "cwe": [ "CWE-770" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.7.0 <1.16.0" }, { "source": 1120076, "name": "axios", "dependency": "axios", "title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter", "url": "https://github.com/advisories/GHSA-p92q-9vqr-4j8v", "severity": "high", "cwe": [ "CWE-201" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=1.0.0 <1.16.0" }, { "source": 1120078, "name": "axios", "dependency": "axios", "title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection", "url": "https://github.com/advisories/GHSA-j5f8-grm9-p9fc", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=1.0.0 <1.16.0" } ], "effects": [], "range": "1.0.0 - 1.15.2", "nodes": [ "node_modules/axios" ], "fixAvailable": true }, "engine.io": { "name": "engine.io", "severity": "moderate", "isDirect": false, "via": [ "ws" ], "effects": [], "range": "0.7.8 - 0.7.9 || 6.0.0 - 6.6.7", "nodes": [ "node_modules/engine.io" ], "fixAvailable": true }, "engine.io-client": { "name": "engine.io-client", "severity": "moderate", "isDirect": false, "via": [ "ws" ], "effects": [], "range": "0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.6.4", "nodes": [ "node_modules/engine.io-client" ], "fixAvailable": true }, "esbuild": { "name": "esbuild", "severity": "moderate", "isDirect": false, "via": [ { "source": 1102341, "name": "esbuild", "dependency": "esbuild", "title": "esbuild enables any website to send any requests to the development server and read the response", "url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99", "severity": "moderate", "cwe": [ "CWE-346" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, "range": "<=0.24.2" } ], "effects": [ "vite" ], "range": "<=0.24.2", "nodes": [ "node_modules/esbuild" ], "fixAvailable": { "name": "vitest", "version": "4.1.8", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "moderate", "isDirect": true, "via": [ "qs" ], "effects": [], "range": "4.21.0 - 4.22.1 || 5.0.0-alpha.1 - 5.0.1", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "fast-xml-builder": { "name": "fast-xml-builder", "severity": "high", "isDirect": false, "via": [ { "source": 1118965, "name": "fast-xml-builder", "dependency": "fast-xml-builder", "title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes", "url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9", "severity": "high", "cwe": [ "CWE-91", "CWE-611" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=1.1.6" }, { "source": 1118966, "name": "fast-xml-builder", "dependency": "fast-xml-builder", "title": "fast-xml-builder Comment Value regex can be bypassed", "url": "https://github.com/advisories/GHSA-45c6-75p6-83cc", "severity": "moderate", "cwe": [ "CWE-91" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "=1.1.5" } ], "effects": [], "range": "<=1.1.6", "nodes": [ "node_modules/fast-xml-builder" ], "fixAvailable": true }, "firebase-admin": { "name": "firebase-admin", "severity": "moderate", "isDirect": true, "via": [ "@google-cloud/firestore", "@google-cloud/storage", "uuid" ], "effects": [], "range": ">=10.2.0", "nodes": [ "node_modules/firebase-admin" ], "fixAvailable": { "name": "firebase-admin", "version": "13.10.0", "isSemVerMajor": true } }, "gaxios": { "name": "gaxios", "severity": "moderate", "isDirect": false, "via": [ "uuid" ], "effects": [], "range": "6.4.0 - 6.7.1", "nodes": [ "node_modules/gaxios" ], "fixAvailable": true }, "google-gax": { "name": "google-gax", "severity": "moderate", "isDirect": false, "via": [ "retry-request", "uuid" ], "effects": [ "@google-cloud/firestore" ], "range": "4.0.5-experimental - 4.6.1", "nodes": [ "node_modules/google-gax" ], "fixAvailable": { "name": "firebase-admin", "version": "13.10.0", "isSemVerMajor": true } }, "js-cookie": { "name": "js-cookie", "severity": "high", "isDirect": false, "via": [ { "source": 1119459, "name": "js-cookie", "dependency": "js-cookie", "title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection", "url": "https://github.com/advisories/GHSA-qjx8-664m-686j", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<=3.0.5" } ], "effects": [], "range": "<=3.0.5", "nodes": [ "node_modules/js-cookie" ], "fixAvailable": true }, "next": { "name": "next", "severity": "critical", "isDirect": true, "via": [ { "source": 1099638, "name": "next", "dependency": "next", "title": "Next.js Cache Poisoning", "url": "https://github.com/advisories/GHSA-gp8f-8m3g-qvj9", "severity": "high", "cwe": [ "CWE-349", "CWE-639" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=14.0.0 <14.2.10" }, { "source": 1100421, "name": "next", "dependency": "next", "title": "Denial of Service condition in Next.js image optimization", "url": "https://github.com/advisories/GHSA-g77x-44xx-532m", "severity": "moderate", "cwe": [ "CWE-674" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=10.0.0 <14.2.7" }, { "source": 1101438, "name": "next", "dependency": "next", "title": "Next.js Allows a Denial of Service (DoS) with Server Actions", "url": "https://github.com/advisories/GHSA-7m27-7ghc-44w9", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=14.0.0 <14.2.21" }, { "source": 1105461, "name": "next", "dependency": "next", "title": "Information exposure in Next.js dev server due to lack of origin verification", "url": "https://github.com/advisories/GHSA-3h52-269p-cp9r", "severity": "low", "cwe": [ "CWE-1385" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=13.0 <14.2.30" }, { "source": 1107226, "name": "next", "dependency": "next", "title": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes", "url": "https://github.com/advisories/GHSA-g5qg-72qw-gw5v", "severity": "moderate", "cwe": [ "CWE-524" ], "cvss": { "score": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=0.9.9 <14.2.31" }, { "source": 1107420, "name": "next", "dependency": "next", "title": "Next.js authorization bypass vulnerability", "url": "https://github.com/advisories/GHSA-7gfc-8cq8-jh5f", "severity": "high", "cwe": [ "CWE-285", "CWE-863" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=9.5.5 <14.2.15" }, { "source": 1107512, "name": "next", "dependency": "next", "title": "Next.js Improper Middleware Redirect Handling Leads to SSRF", "url": "https://github.com/advisories/GHSA-4342-x723-ch2f", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" }, "range": ">=0.9.9 <14.2.32" }, { "source": 1107513, "name": "next", "dependency": "next", "title": "Next.js Content Injection Vulnerability for Image Optimization", "url": "https://github.com/advisories/GHSA-xv57-4mr9-wg8v", "severity": "moderate", "cwe": [ "CWE-20" ], "cvss": { "score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, "range": ">=0.9.9 <14.2.31" }, { "source": 1108291, "name": "next", "dependency": "next", "title": "Next.js Race Condition to Cache Poisoning", "url": "https://github.com/advisories/GHSA-qpjv-v59x-3qc4", "severity": "low", "cwe": [ "CWE-362" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=0.9.9 <14.2.24" }, { "source": 1111391, "name": "next", "dependency": "next", "title": "Next Vulnerable to Denial of Service with Server Components", "url": "https://github.com/advisories/GHSA-mwv6-3258-q52c", "severity": "high", "cwe": [ "CWE-400", "CWE-502", "CWE-1395" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=13.3.0 <14.2.34" }, { "source": 1112182, "name": "next", "dependency": "next", "title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up", "url": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4", "severity": "high", "cwe": [ "CWE-400", "CWE-502", "CWE-1395" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=13.3.1-canary.0 <14.2.35" }, { "source": 1112593, "name": "next", "dependency": "next", "title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration", "url": "https://github.com/advisories/GHSA-9g9p-9gw9-jx7f", "severity": "moderate", "cwe": [ "CWE-400", "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=10.0.0 <15.5.10" }, { "source": 1112653, "name": "next", "dependency": "next", "title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components", "url": "https://github.com/advisories/GHSA-h25m-26qc-wcjf", "severity": "high", "cwe": [ "CWE-400", "CWE-502" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=13.0.0 <15.0.8" }, { "source": 1113689, "name": "next", "dependency": "next", "title": "Authorization Bypass in Next.js Middleware", "url": "https://github.com/advisories/GHSA-f82v-jwr5-mffw", "severity": "critical", "cwe": [ "CWE-285", "CWE-863" ], "cvss": { "score": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, "range": ">=14.0.0 <14.2.25" }, { "source": 1114897, "name": "next", "dependency": "next", "title": "Next.js: HTTP request smuggling in rewrites", "url": "https://github.com/advisories/GHSA-ggv3-7p47-pfv8", "severity": "moderate", "cwe": [ "CWE-444" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=9.5.0 <15.5.13" }, { "source": 1114940, "name": "next", "dependency": "next", "title": "Next.js: Unbounded next/image disk cache growth can exhaust storage", "url": "https://github.com/advisories/GHSA-3x4c-7xq6-9pq8", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=10.0.0 <15.5.14" }, { "source": 1116376, "name": "next", "dependency": "next", "title": "Next.js has a Denial of Service with Server Components", "url": "https://github.com/advisories/GHSA-q4gf-8mx6-v5v3", "severity": "high", "cwe": [ "CWE-770" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=13.0.0 <15.5.15" }, { "source": 1117931, "name": "next", "dependency": "next", "title": "Next.js Vulnerable to Denial of Service with Server Components", "url": "https://github.com/advisories/GHSA-8h8q-6873-q5fj", "severity": "high", "cwe": [ "CWE-770" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=13.0.0 <15.5.16" }, { "source": 1118942, "name": "next", "dependency": "next", "title": "Next.js's Middleware / Proxy redirects can be cache-poisoned", "url": "https://github.com/advisories/GHSA-3g8h-86w9-wvmq", "severity": "low", "cwe": [ "CWE-349" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=12.2.0 <15.5.16" }, { "source": 1118944, "name": "next", "dependency": "next", "title": "Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces", "url": "https://github.com/advisories/GHSA-ffhc-5mcf-pf4q", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": ">=13.4.0 <15.5.16" }, { "source": 1118946, "name": "next", "dependency": "next", "title": "Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting", "url": "https://github.com/advisories/GHSA-vfv6-92ff-j949", "severity": "low", "cwe": [ "CWE-328" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": ">=13.4.6 <15.5.16" }, { "source": 1118948, "name": "next", "dependency": "next", "title": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input", "url": "https://github.com/advisories/GHSA-gx5p-jg67-6x7h", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": ">=13.0.0 <15.5.16" }, { "source": 1118952, "name": "next", "dependency": "next", "title": "Next.js has a Denial of Service in the Image Optimization API", "url": "https://github.com/advisories/GHSA-h64f-5h5j-jqjh", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=10.0.0 <15.5.16" }, { "source": 1118954, "name": "next", "dependency": "next", "title": "Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades", "url": "https://github.com/advisories/GHSA-c4j6-fc7j-m34r", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, "range": ">=13.4.13 <15.5.16" }, { "source": 1118958, "name": "next", "dependency": "next", "title": "Next.js vulnerable to cache poisoning in React Server Component responses", "url": "https://github.com/advisories/GHSA-wfc6-r584-vfw7", "severity": "moderate", "cwe": [ "CWE-436" ], "cvss": { "score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" }, "range": ">=14.2.0 <15.5.16" }, { "source": 1118962, "name": "next", "dependency": "next", "title": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n", "url": "https://github.com/advisories/GHSA-36qx-fr4f-26g5", "severity": "high", "cwe": [ "CWE-863" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=12.2.0 <15.5.16" }, "postcss" ], "effects": [], "range": "0.9.9 - 16.3.0-canary.5", "nodes": [ "node_modules/next" ], "fixAvailable": { "name": "next", "version": "14.2.35", "isSemVerMajor": false } }, "node-cron": { "name": "node-cron", "severity": "moderate", "isDirect": true, "via": [ "uuid" ], "effects": [], "range": "3.0.2 - 3.0.3", "nodes": [ "node_modules/node-cron" ], "fixAvailable": { "name": "node-cron", "version": "4.2.1", "isSemVerMajor": true } }, "nodemailer": { "name": "nodemailer", "severity": "high", "isDirect": true, "via": [ { "source": 1109804, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict", "url": "https://github.com/advisories/GHSA-mm7p-fcc7-pg87", "severity": "moderate", "cwe": [ "CWE-20", "CWE-436" ], "cvss": { "score": 0, "vectorString": null }, "range": "<7.0.7" }, { "source": 1113165, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls", "url": "https://github.com/advisories/GHSA-rcmh-qjqh-p98v", "severity": "high", "cwe": [ "CWE-703" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=7.0.10" }, { "source": 1115470, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter", "url": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8", "severity": "low", "cwe": [ "CWE-93" ], "cvss": { "score": 0, "vectorString": null }, "range": "<8.0.4" }, { "source": 1116270, "name": "nodemailer", "dependency": "nodemailer", "title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", "url": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g", "severity": "moderate", "cwe": [ "CWE-93" ], "cvss": { "score": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, "range": "<=8.0.4" } ], "effects": [], "range": "<=8.0.4", "nodes": [ "node_modules/nodemailer" ], "fixAvailable": { "name": "nodemailer", "version": "8.0.10", "isSemVerMajor": true } }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1117015, "name": "postcss", "dependency": "postcss", "title": "PostCSS has XSS via Unescaped in its CSS Stringify Output", "url": "https://github.com/advisories/GHSA-qx2v-qp2m-jg93", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<8.5.10" } ], "effects": [ "next" ], "range": "<8.5.10", "nodes": [ "node_modules/next/node_modules/postcss" ], "fixAvailable": { "name": "next", "version": "14.2.35", "isSemVerMajor": false } }, "protobufjs": { "name": "protobufjs", "severity": "moderate", "isDirect": false, "via": [ { "source": 1119378, "name": "protobufjs", "dependency": "protobufjs", "title": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion", "url": "https://github.com/advisories/GHSA-jggg-4jg4-v7c6", "severity": "moderate", "cwe": [ "CWE-674" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<=7.5.7" } ], "effects": [], "range": "<=7.5.7", "nodes": [ "node_modules/protobufjs" ], "fixAvailable": true }, "qs": { "name": "qs", "severity": "moderate", "isDirect": false, "via": [ { "source": 1119502, "name": "qs", "dependency": "qs", "title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set", "url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26", "severity": "moderate", "cwe": [ "CWE-476" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.11.1 <=6.15.1" } ], "effects": [ "express" ], "range": "6.11.1 - 6.15.1", "nodes": [ "node_modules/body-parser/node_modules/qs", "node_modules/qs" ], "fixAvailable": true }, "retry-request": { "name": "retry-request", "severity": "moderate", "isDirect": false, "via": [ "teeny-request" ], "effects": [ "@google-cloud/storage", "google-gax" ], "range": "7.0.0 - 7.0.2", "nodes": [ "node_modules/retry-request" ], "fixAvailable": { "name": "firebase-admin", "version": "13.10.0", "isSemVerMajor": true } }, "socket.io-adapter": { "name": "socket.io-adapter", "severity": "moderate", "isDirect": false, "via": [ "ws" ], "effects": [], "range": "2.5.2 - 2.5.6", "nodes": [ "node_modules/socket.io-adapter" ], "fixAvailable": true }, "teeny-request": { "name": "teeny-request", "severity": "moderate", "isDirect": false, "via": [ "uuid" ], "effects": [ "@google-cloud/storage", "retry-request" ], "range": "3.9.1 - 9.0.0", "nodes": [ "node_modules/teeny-request" ], "fixAvailable": { "name": "firebase-admin", "version": "13.10.0", "isSemVerMajor": true } }, "turbo": { "name": "turbo", "severity": "moderate", "isDirect": true, "via": [ { "source": 1119386, "name": "turbo", "dependency": "turbo", "title": "Trubo: Login callback CSRF/session fixation", "url": "https://github.com/advisories/GHSA-hcf7-66rw-9f5r", "severity": "moderate", "cwe": [ "CWE-352" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=2.9.13" }, { "source": 1119389, "name": "turbo", "dependency": "turbo", "title": "Turbo: Unexpected local code execution during Yarn Berry detection", "url": "https://github.com/advisories/GHSA-3qcw-2rhx-2726", "severity": "low", "cwe": [ "CWE-426" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.1.0 <2.9.14" } ], "effects": [], "range": "<=2.9.13-canary.1", "nodes": [ "node_modules/turbo" ], "fixAvailable": { "name": "turbo", "version": "2.9.16", "isSemVerMajor": true } }, "uuid": { "name": "uuid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1119441, "name": "uuid", "dependency": "uuid", "title": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided", "url": "https://github.com/advisories/GHSA-w5hq-g745-h8pq", "severity": "moderate", "cwe": [ "CWE-787", "CWE-1285" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<11.1.1" } ], "effects": [ "@google-cloud/storage", "firebase-admin", "gaxios", "google-gax", "node-cron", "teeny-request" ], "range": "<11.1.1", "nodes": [ "node_modules/@google-cloud/storage/node_modules/uuid", "node_modules/gaxios/node_modules/uuid", "node_modules/google-gax/node_modules/uuid", "node_modules/node-cron/node_modules/uuid", "node_modules/teeny-request/node_modules/uuid", "node_modules/uuid" ], "fixAvailable": { "name": "node-cron", "version": "4.2.1", "isSemVerMajor": true } }, "vite": { "name": "vite", "severity": "moderate", "isDirect": false, "via": [ { "source": 1116229, "name": "vite", "dependency": "vite", "title": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling", "url": "https://github.com/advisories/GHSA-4w7w-66w2-5vf9", "severity": "moderate", "cwe": [ "CWE-22", "CWE-200" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=6.4.1" }, "esbuild" ], "effects": [ "vite-node", "vitest" ], "range": "<=6.4.1", "nodes": [ "node_modules/vite" ], "fixAvailable": { "name": "vitest", "version": "4.1.8", "isSemVerMajor": true } }, "vite-node": { "name": "vite-node", "severity": "moderate", "isDirect": false, "via": [ "vite" ], "effects": [ "vitest" ], "range": "<=2.2.0-beta.2", "nodes": [ "node_modules/vite-node" ], "fixAvailable": { "name": "vitest", "version": "4.1.8", "isSemVerMajor": true } }, "vitest": { "name": "vitest", "severity": "critical", "isDirect": true, "via": [ { "source": 1120011, "name": "vitest", "dependency": "vitest", "title": "When Vitest UI server is listening, arbitrary file can be read and executed", "url": "https://github.com/advisories/GHSA-5xrq-8626-4rwp", "severity": "critical", "cwe": [ "CWE-862" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<4.1.0" }, "vite", "vite-node" ], "effects": [], "range": "<=4.1.0-beta.6", "nodes": [ "node_modules/vitest" ], "fixAvailable": { "name": "vitest", "version": "4.1.8", "isSemVerMajor": true } }, "ws": { "name": "ws", "severity": "moderate", "isDirect": false, "via": [ { "source": 1119108, "name": "ws", "dependency": "ws", "title": "ws: Uninitialized memory disclosure", "url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx", "severity": "moderate", "cwe": [ "CWE-908" ], "cvss": { "score": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=8.0.0 <8.20.1" } ], "effects": [ "engine.io", "engine.io-client", "socket.io-adapter" ], "range": "8.0.0 - 8.20.0", "nodes": [ "node_modules/ws" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 21, "high": 4, "critical": 2, "total": 28 }, "dependencies": { "prod": 515, "dev": 248, "optional": 167, "peer": 1, "peerOptional": 0, "total": 874 } } }