Files
carmanagement/security-reports/npm-audit.json
T
2026-06-10 00:40:19 -04:00

1362 lines
38 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"auditReportVersion": 2,
"vulnerabilities": {
"@google-cloud/firestore": {
"name": "@google-cloud/firestore",
"severity": "moderate",
"isDirect": false,
"via": [
"google-gax"
],
"effects": [
"firebase-admin"
],
"range": "7.5.0-pre.0 || 7.6.0 - 7.11.6",
"nodes": [
"node_modules/@google-cloud/firestore"
],
"fixAvailable": {
"name": "firebase-admin",
"version": "13.10.0",
"isSemVerMajor": true
}
},
"@google-cloud/storage": {
"name": "@google-cloud/storage",
"severity": "moderate",
"isDirect": false,
"via": [
"retry-request",
"teeny-request",
"uuid"
],
"effects": [
"firebase-admin"
],
"range": "2.2.0 - 2.5.0 || >=5.19.0",
"nodes": [
"node_modules/@google-cloud/storage"
],
"fixAvailable": {
"name": "firebase-admin",
"version": "13.10.0",
"isSemVerMajor": true
}
},
"@tootallnate/once": {
"name": "@tootallnate/once",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1119438,
"name": "@tootallnate/once",
"dependency": "@tootallnate/once",
"title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
"severity": "low",
"cwe": [
"CWE-705"
],
"cvss": {
"score": 3.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.0.1"
}
],
"effects": [],
"range": "<2.0.1",
"nodes": [
"node_modules/@tootallnate/once"
],
"fixAvailable": true
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119667,
"name": "axios",
"dependency": "axios",
"title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",
"url": "https://github.com/advisories/GHSA-pjwm-pj3p-43mv",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": ">=1.0.0 <1.16.0"
},
{
"source": 1119669,
"name": "axios",
"dependency": "axios",
"title": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",
"url": "https://github.com/advisories/GHSA-898c-q2cr-xwhg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=1.0.0 <1.16.0"
},
{
"source": 1119670,
"name": "axios",
"dependency": "axios",
"title": "Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix",
"url": "https://github.com/advisories/GHSA-654m-c8p4-x5fp",
"severity": "low",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "=1.15.2"
},
{
"source": 1119675,
"name": "axios",
"dependency": "axios",
"title": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",
"url": "https://github.com/advisories/GHSA-35jp-ww65-95wh",
"severity": "high",
"cwe": [
"CWE-441",
"CWE-1321"
],
"cvss": {
"score": 8.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
},
"range": ">=1.0.0 <1.16.0"
},
{
"source": 1120073,
"name": "axios",
"dependency": "axios",
"title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",
"url": "https://github.com/advisories/GHSA-hfxv-24rg-xrqf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.16.0"
},
{
"source": 1120074,
"name": "axios",
"dependency": "axios",
"title": "Allocation of Resources Without Limits or Throttling in Axios",
"url": "https://github.com/advisories/GHSA-777c-7fjr-54vf",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.7.0 <1.16.0"
},
{
"source": 1120076,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",
"url": "https://github.com/advisories/GHSA-p92q-9vqr-4j8v",
"severity": "high",
"cwe": [
"CWE-201"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=1.0.0 <1.16.0"
},
{
"source": 1120078,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",
"url": "https://github.com/advisories/GHSA-j5f8-grm9-p9fc",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=1.0.0 <1.16.0"
}
],
"effects": [],
"range": "1.0.0 - 1.15.2",
"nodes": [
"node_modules/axios"
],
"fixAvailable": true
},
"engine.io": {
"name": "engine.io",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "0.7.8 - 0.7.9 || 6.0.0 - 6.6.7",
"nodes": [
"node_modules/engine.io"
],
"fixAvailable": true
},
"engine.io-client": {
"name": "engine.io-client",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.6.4",
"nodes": [
"node_modules/engine.io-client"
],
"fixAvailable": true
},
"esbuild": {
"name": "esbuild",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102341,
"name": "esbuild",
"dependency": "esbuild",
"title": "esbuild enables any website to send any requests to the development server and read the response",
"url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99",
"severity": "moderate",
"cwe": [
"CWE-346"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=0.24.2"
}
],
"effects": [
"vite"
],
"range": "<=0.24.2",
"nodes": [
"node_modules/esbuild"
],
"fixAvailable": {
"name": "vitest",
"version": "4.1.8",
"isSemVerMajor": true
}
},
"express": {
"name": "express",
"severity": "moderate",
"isDirect": true,
"via": [
"qs"
],
"effects": [],
"range": "4.21.0 - 4.22.1 || 5.0.0-alpha.1 - 5.0.1",
"nodes": [
"node_modules/express"
],
"fixAvailable": true
},
"fast-xml-builder": {
"name": "fast-xml-builder",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118965,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes",
"url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9",
"severity": "high",
"cwe": [
"CWE-91",
"CWE-611"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=1.1.6"
},
{
"source": 1118966,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder Comment Value regex can be bypassed",
"url": "https://github.com/advisories/GHSA-45c6-75p6-83cc",
"severity": "moderate",
"cwe": [
"CWE-91"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "=1.1.5"
}
],
"effects": [],
"range": "<=1.1.6",
"nodes": [
"node_modules/fast-xml-builder"
],
"fixAvailable": true
},
"firebase-admin": {
"name": "firebase-admin",
"severity": "moderate",
"isDirect": true,
"via": [
"@google-cloud/firestore",
"@google-cloud/storage",
"uuid"
],
"effects": [],
"range": ">=10.2.0",
"nodes": [
"node_modules/firebase-admin"
],
"fixAvailable": {
"name": "firebase-admin",
"version": "13.10.0",
"isSemVerMajor": true
}
},
"gaxios": {
"name": "gaxios",
"severity": "moderate",
"isDirect": false,
"via": [
"uuid"
],
"effects": [],
"range": "6.4.0 - 6.7.1",
"nodes": [
"node_modules/gaxios"
],
"fixAvailable": true
},
"google-gax": {
"name": "google-gax",
"severity": "moderate",
"isDirect": false,
"via": [
"retry-request",
"uuid"
],
"effects": [
"@google-cloud/firestore"
],
"range": "4.0.5-experimental - 4.6.1",
"nodes": [
"node_modules/google-gax"
],
"fixAvailable": {
"name": "firebase-admin",
"version": "13.10.0",
"isSemVerMajor": true
}
},
"js-cookie": {
"name": "js-cookie",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119459,
"name": "js-cookie",
"dependency": "js-cookie",
"title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection",
"url": "https://github.com/advisories/GHSA-qjx8-664m-686j",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.0.5"
}
],
"effects": [],
"range": "<=3.0.5",
"nodes": [
"node_modules/js-cookie"
],
"fixAvailable": true
},
"next": {
"name": "next",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1099638,
"name": "next",
"dependency": "next",
"title": "Next.js Cache Poisoning",
"url": "https://github.com/advisories/GHSA-gp8f-8m3g-qvj9",
"severity": "high",
"cwe": [
"CWE-349",
"CWE-639"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=14.0.0 <14.2.10"
},
{
"source": 1100421,
"name": "next",
"dependency": "next",
"title": "Denial of Service condition in Next.js image optimization",
"url": "https://github.com/advisories/GHSA-g77x-44xx-532m",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=10.0.0 <14.2.7"
},
{
"source": 1101438,
"name": "next",
"dependency": "next",
"title": "Next.js Allows a Denial of Service (DoS) with Server Actions",
"url": "https://github.com/advisories/GHSA-7m27-7ghc-44w9",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=14.0.0 <14.2.21"
},
{
"source": 1105461,
"name": "next",
"dependency": "next",
"title": "Information exposure in Next.js dev server due to lack of origin verification",
"url": "https://github.com/advisories/GHSA-3h52-269p-cp9r",
"severity": "low",
"cwe": [
"CWE-1385"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=13.0 <14.2.30"
},
{
"source": 1107226,
"name": "next",
"dependency": "next",
"title": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
"url": "https://github.com/advisories/GHSA-g5qg-72qw-gw5v",
"severity": "moderate",
"cwe": [
"CWE-524"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=0.9.9 <14.2.31"
},
{
"source": 1107420,
"name": "next",
"dependency": "next",
"title": "Next.js authorization bypass vulnerability",
"url": "https://github.com/advisories/GHSA-7gfc-8cq8-jh5f",
"severity": "high",
"cwe": [
"CWE-285",
"CWE-863"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=9.5.5 <14.2.15"
},
{
"source": 1107512,
"name": "next",
"dependency": "next",
"title": "Next.js Improper Middleware Redirect Handling Leads to SSRF",
"url": "https://github.com/advisories/GHSA-4342-x723-ch2f",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
},
"range": ">=0.9.9 <14.2.32"
},
{
"source": 1107513,
"name": "next",
"dependency": "next",
"title": "Next.js Content Injection Vulnerability for Image Optimization",
"url": "https://github.com/advisories/GHSA-xv57-4mr9-wg8v",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
"range": ">=0.9.9 <14.2.31"
},
{
"source": 1108291,
"name": "next",
"dependency": "next",
"title": "Next.js Race Condition to Cache Poisoning",
"url": "https://github.com/advisories/GHSA-qpjv-v59x-3qc4",
"severity": "low",
"cwe": [
"CWE-362"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=0.9.9 <14.2.24"
},
{
"source": 1111391,
"name": "next",
"dependency": "next",
"title": "Next Vulnerable to Denial of Service with Server Components",
"url": "https://github.com/advisories/GHSA-mwv6-3258-q52c",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-502",
"CWE-1395"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=13.3.0 <14.2.34"
},
{
"source": 1112182,
"name": "next",
"dependency": "next",
"title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
"url": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-502",
"CWE-1395"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=13.3.1-canary.0 <14.2.35"
},
{
"source": 1112593,
"name": "next",
"dependency": "next",
"title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
"url": "https://github.com/advisories/GHSA-9g9p-9gw9-jx7f",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=10.0.0 <15.5.10"
},
{
"source": 1112653,
"name": "next",
"dependency": "next",
"title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
"url": "https://github.com/advisories/GHSA-h25m-26qc-wcjf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-502"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=13.0.0 <15.0.8"
},
{
"source": 1113689,
"name": "next",
"dependency": "next",
"title": "Authorization Bypass in Next.js Middleware",
"url": "https://github.com/advisories/GHSA-f82v-jwr5-mffw",
"severity": "critical",
"cwe": [
"CWE-285",
"CWE-863"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": ">=14.0.0 <14.2.25"
},
{
"source": 1114897,
"name": "next",
"dependency": "next",
"title": "Next.js: HTTP request smuggling in rewrites",
"url": "https://github.com/advisories/GHSA-ggv3-7p47-pfv8",
"severity": "moderate",
"cwe": [
"CWE-444"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=9.5.0 <15.5.13"
},
{
"source": 1114940,
"name": "next",
"dependency": "next",
"title": "Next.js: Unbounded next/image disk cache growth can exhaust storage",
"url": "https://github.com/advisories/GHSA-3x4c-7xq6-9pq8",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=10.0.0 <15.5.14"
},
{
"source": 1116376,
"name": "next",
"dependency": "next",
"title": "Next.js has a Denial of Service with Server Components",
"url": "https://github.com/advisories/GHSA-q4gf-8mx6-v5v3",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=13.0.0 <15.5.15"
},
{
"source": 1117931,
"name": "next",
"dependency": "next",
"title": "Next.js Vulnerable to Denial of Service with Server Components",
"url": "https://github.com/advisories/GHSA-8h8q-6873-q5fj",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=13.0.0 <15.5.16"
},
{
"source": 1118942,
"name": "next",
"dependency": "next",
"title": "Next.js's Middleware / Proxy redirects can be cache-poisoned",
"url": "https://github.com/advisories/GHSA-3g8h-86w9-wvmq",
"severity": "low",
"cwe": [
"CWE-349"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=12.2.0 <15.5.16"
},
{
"source": 1118944,
"name": "next",
"dependency": "next",
"title": "Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces",
"url": "https://github.com/advisories/GHSA-ffhc-5mcf-pf4q",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 4.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=13.4.0 <15.5.16"
},
{
"source": 1118946,
"name": "next",
"dependency": "next",
"title": "Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting",
"url": "https://github.com/advisories/GHSA-vfv6-92ff-j949",
"severity": "low",
"cwe": [
"CWE-328"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=13.4.6 <15.5.16"
},
{
"source": 1118948,
"name": "next",
"dependency": "next",
"title": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input",
"url": "https://github.com/advisories/GHSA-gx5p-jg67-6x7h",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=13.0.0 <15.5.16"
},
{
"source": 1118952,
"name": "next",
"dependency": "next",
"title": "Next.js has a Denial of Service in the Image Optimization API",
"url": "https://github.com/advisories/GHSA-h64f-5h5j-jqjh",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=10.0.0 <15.5.16"
},
{
"source": 1118954,
"name": "next",
"dependency": "next",
"title": "Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades",
"url": "https://github.com/advisories/GHSA-c4j6-fc7j-m34r",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": ">=13.4.13 <15.5.16"
},
{
"source": 1118958,
"name": "next",
"dependency": "next",
"title": "Next.js vulnerable to cache poisoning in React Server Component responses",
"url": "https://github.com/advisories/GHSA-wfc6-r584-vfw7",
"severity": "moderate",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"
},
"range": ">=14.2.0 <15.5.16"
},
{
"source": 1118962,
"name": "next",
"dependency": "next",
"title": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n",
"url": "https://github.com/advisories/GHSA-36qx-fr4f-26g5",
"severity": "high",
"cwe": [
"CWE-863"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=12.2.0 <15.5.16"
},
"postcss"
],
"effects": [],
"range": "0.9.9 - 16.3.0-canary.5",
"nodes": [
"node_modules/next"
],
"fixAvailable": {
"name": "next",
"version": "14.2.35",
"isSemVerMajor": false
}
},
"node-cron": {
"name": "node-cron",
"severity": "moderate",
"isDirect": true,
"via": [
"uuid"
],
"effects": [],
"range": "3.0.2 - 3.0.3",
"nodes": [
"node_modules/node-cron"
],
"fixAvailable": {
"name": "node-cron",
"version": "4.2.1",
"isSemVerMajor": true
}
},
"nodemailer": {
"name": "nodemailer",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1109804,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict",
"url": "https://github.com/advisories/GHSA-mm7p-fcc7-pg87",
"severity": "moderate",
"cwe": [
"CWE-20",
"CWE-436"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<7.0.7"
},
{
"source": 1113165,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailers addressparser is vulnerable to DoS caused by recursive calls",
"url": "https://github.com/advisories/GHSA-rcmh-qjqh-p98v",
"severity": "high",
"cwe": [
"CWE-703"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=7.0.10"
},
{
"source": 1115470,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter",
"url": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8",
"severity": "low",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<8.0.4"
},
{
"source": 1116270,
"name": "nodemailer",
"dependency": "nodemailer",
"title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ",
"url": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g",
"severity": "moderate",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 4.9,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=8.0.4"
}
],
"effects": [],
"range": "<=8.0.4",
"nodes": [
"node_modules/nodemailer"
],
"fixAvailable": {
"name": "nodemailer",
"version": "8.0.10",
"isSemVerMajor": true
}
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1117015,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"url": "https://github.com/advisories/GHSA-qx2v-qp2m-jg93",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<8.5.10"
}
],
"effects": [
"next"
],
"range": "<8.5.10",
"nodes": [
"node_modules/next/node_modules/postcss"
],
"fixAvailable": {
"name": "next",
"version": "14.2.35",
"isSemVerMajor": false
}
},
"protobufjs": {
"name": "protobufjs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119378,
"name": "protobufjs",
"dependency": "protobufjs",
"title": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion",
"url": "https://github.com/advisories/GHSA-jggg-4jg4-v7c6",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=7.5.7"
}
],
"effects": [],
"range": "<=7.5.7",
"nodes": [
"node_modules/protobufjs"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119502,
"name": "qs",
"dependency": "qs",
"title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26",
"severity": "moderate",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.11.1 <=6.15.1"
}
],
"effects": [
"express"
],
"range": "6.11.1 - 6.15.1",
"nodes": [
"node_modules/body-parser/node_modules/qs",
"node_modules/qs"
],
"fixAvailable": true
},
"retry-request": {
"name": "retry-request",
"severity": "moderate",
"isDirect": false,
"via": [
"teeny-request"
],
"effects": [
"@google-cloud/storage",
"google-gax"
],
"range": "7.0.0 - 7.0.2",
"nodes": [
"node_modules/retry-request"
],
"fixAvailable": {
"name": "firebase-admin",
"version": "13.10.0",
"isSemVerMajor": true
}
},
"socket.io-adapter": {
"name": "socket.io-adapter",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "2.5.2 - 2.5.6",
"nodes": [
"node_modules/socket.io-adapter"
],
"fixAvailable": true
},
"teeny-request": {
"name": "teeny-request",
"severity": "moderate",
"isDirect": false,
"via": [
"uuid"
],
"effects": [
"@google-cloud/storage",
"retry-request"
],
"range": "3.9.1 - 9.0.0",
"nodes": [
"node_modules/teeny-request"
],
"fixAvailable": {
"name": "firebase-admin",
"version": "13.10.0",
"isSemVerMajor": true
}
},
"turbo": {
"name": "turbo",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1119386,
"name": "turbo",
"dependency": "turbo",
"title": "Trubo: Login callback CSRF/session fixation",
"url": "https://github.com/advisories/GHSA-hcf7-66rw-9f5r",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=2.9.13"
},
{
"source": 1119389,
"name": "turbo",
"dependency": "turbo",
"title": "Turbo: Unexpected local code execution during Yarn Berry detection",
"url": "https://github.com/advisories/GHSA-3qcw-2rhx-2726",
"severity": "low",
"cwe": [
"CWE-426"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.1.0 <2.9.14"
}
],
"effects": [],
"range": "<=2.9.13-canary.1",
"nodes": [
"node_modules/turbo"
],
"fixAvailable": {
"name": "turbo",
"version": "2.9.16",
"isSemVerMajor": true
}
},
"uuid": {
"name": "uuid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119441,
"name": "uuid",
"dependency": "uuid",
"title": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"url": "https://github.com/advisories/GHSA-w5hq-g745-h8pq",
"severity": "moderate",
"cwe": [
"CWE-787",
"CWE-1285"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<11.1.1"
}
],
"effects": [
"@google-cloud/storage",
"firebase-admin",
"gaxios",
"google-gax",
"node-cron",
"teeny-request"
],
"range": "<11.1.1",
"nodes": [
"node_modules/@google-cloud/storage/node_modules/uuid",
"node_modules/gaxios/node_modules/uuid",
"node_modules/google-gax/node_modules/uuid",
"node_modules/node-cron/node_modules/uuid",
"node_modules/teeny-request/node_modules/uuid",
"node_modules/uuid"
],
"fixAvailable": {
"name": "node-cron",
"version": "4.2.1",
"isSemVerMajor": true
}
},
"vite": {
"name": "vite",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1116229,
"name": "vite",
"dependency": "vite",
"title": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"url": "https://github.com/advisories/GHSA-4w7w-66w2-5vf9",
"severity": "moderate",
"cwe": [
"CWE-22",
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.4.1"
},
"esbuild"
],
"effects": [
"vite-node",
"vitest"
],
"range": "<=6.4.1",
"nodes": [
"node_modules/vite"
],
"fixAvailable": {
"name": "vitest",
"version": "4.1.8",
"isSemVerMajor": true
}
},
"vite-node": {
"name": "vite-node",
"severity": "moderate",
"isDirect": false,
"via": [
"vite"
],
"effects": [
"vitest"
],
"range": "<=2.2.0-beta.2",
"nodes": [
"node_modules/vite-node"
],
"fixAvailable": {
"name": "vitest",
"version": "4.1.8",
"isSemVerMajor": true
}
},
"vitest": {
"name": "vitest",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1120011,
"name": "vitest",
"dependency": "vitest",
"title": "When Vitest UI server is listening, arbitrary file can be read and executed",
"url": "https://github.com/advisories/GHSA-5xrq-8626-4rwp",
"severity": "critical",
"cwe": [
"CWE-862"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<4.1.0"
},
"vite",
"vite-node"
],
"effects": [],
"range": "<=4.1.0-beta.6",
"nodes": [
"node_modules/vitest"
],
"fixAvailable": {
"name": "vitest",
"version": "4.1.8",
"isSemVerMajor": true
}
},
"ws": {
"name": "ws",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119108,
"name": "ws",
"dependency": "ws",
"title": "ws: Uninitialized memory disclosure",
"url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx",
"severity": "moderate",
"cwe": [
"CWE-908"
],
"cvss": {
"score": 4.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=8.0.0 <8.20.1"
}
],
"effects": [
"engine.io",
"engine.io-client",
"socket.io-adapter"
],
"range": "8.0.0 - 8.20.0",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 21,
"high": 4,
"critical": 2,
"total": 28
},
"dependencies": {
"prod": 515,
"dev": 248,
"optional": 167,
"peer": 1,
"peerOptional": 0,
"total": 874
}
}
}