Vulnerabilities

1 via 1 paths

Dependencies

92

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Issue type
  • 1
  • 1
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity
new

Inefficient Algorithmic Complexity

  • Vulnerable module: shell-quote
  • Introduced through: concurrently@10.0.3

Detailed paths

  • Introduced through: undefined@David-Crty/databasement concurrently@10.0.3 shell-quote@1.8.4

Overview

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseInternal function of parse.js, where parse() finalizes the token list with Array.prototype.concat inside a reduce, copying the entire growing array on every iteration for O(n²) behavior. An attacker can block the single-threaded Node.js event loop and sustain a denial of service by passing a large space-separated string to any code path that calls parse(), with roughly 128 KB stalling the loop for about 15 seconds and 256 KB for about 57 seconds.

Remediation

Upgrade shell-quote to version 1.9.0 or higher.

References

medium severity

MPL-2.0 license

  • Module: lightningcss
  • Introduced through: vite@8.1.5 and @tailwindcss/vite@4.3.3

Detailed paths

  • Introduced through: undefined@David-Crty/databasement vite@8.1.5 lightningcss@1.32.0
  • Introduced through: undefined@David-Crty/databasement @tailwindcss/vite@4.3.3 @tailwindcss/node@4.3.3 lightningcss@1.32.0

MPL-2.0 license