Vulnerabilities

 3 via 55 paths

Dependencies

 230

Source

 GitHub

Commit

 2d795e20

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 3
  • 10
Severity
  • 1
  • 10
  • 2
Status
  • 13
  • 0
  • 0

critical severity
new

Malicious Package

  • Vulnerable module: debug
  • Introduced through: @aurahelper/connector@2.3.0

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @salesforce/core@5.3.20 jsforce@2.0.0-beta.29 https-proxy-agent@5.0.1 debug@4.4.3
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @salesforce/core@5.3.20 jsforce@2.0.0-beta.29 https-proxy-agent@5.0.1 agent-base@6.0.2 debug@4.4.3

Overview

debug is a malicious package. This package version contains malicious code that listens for network traffic when run in the context of a browser and focuses on crypto transactions. The malicious code injected to the packages activates a hook whenever a Web3 wallet is present. Once activated the code intercepts and modifies any transaction with ETH value and points it to another address presumably controlled by the attacker. The malicious code also listens for swap/transfer transactions to tamper with as well.

Note:

This advisory is under ongoing investigation and can be updated with additional details.

Remediation

Avoid using all malicious instances of the debug package.

References

Malicious Package vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/connector
  • Introduced through: @aurahelper/connector@2.3.0

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/core
  • Introduced through: @aurahelper/core@2.7.0, @aurahelper/metadata-factory@2.1.6 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/git-manager@2.1.5 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/dependencies-manager
  • Introduced through: @aurahelper/dependencies-manager@2.0.2

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/git-manager
  • Introduced through: @aurahelper/git-manager@2.1.5

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/git-manager@2.1.5

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/ignore
  • Introduced through: @aurahelper/ignore@2.0.1, @aurahelper/package-generator@2.1.1 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/languages
  • Introduced through: @aurahelper/metadata-factory@2.1.6, @aurahelper/xml-compressor@2.0.2 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/metadata-factory
  • Introduced through: @aurahelper/metadata-factory@2.1.6, @aurahelper/ignore@2.0.1 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/package-generator
  • Introduced through: @aurahelper/package-generator@2.1.1 and @aurahelper/connector@2.3.0

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/xml-compressor
  • Introduced through: @aurahelper/xml-compressor@2.0.2, @aurahelper/ignore@2.0.1 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: @aurahelper/xml-definitions
  • Introduced through: @aurahelper/xml-compressor@2.0.2, @aurahelper/dependencies-manager@2.0.2 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-definitions@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1

GPL-3.0 license

GPL-3.0 license vulnerability report

medium severity

Symlink Attack

  • Vulnerable module: tmp
  • Introduced through: inquirer@7.3.3 and @aurahelper/connector@2.3.0

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 inquirer@7.3.3 external-editor@3.1.0 tmp@0.0.33
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @salesforce/core@5.3.20 jsforce@2.0.0-beta.29 inquirer@7.3.3 external-editor@3.1.0 tmp@0.0.33

Overview

Affected versions of this package are vulnerable to Symlink Attack via the dir parameter. An attacker can cause files or directories to be written to arbitrary locations by supplying a crafted symbolic link that resolves outside the intended temporary directory.

PoC

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

Remediation

Upgrade tmp to version 0.2.4 or higher.

References

Symlink Attack vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: @aurahelper/core@2.7.0, @aurahelper/metadata-factory@2.1.6 and others

Detailed paths

  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/git-manager@2.1.5 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/dependencies-manager@2.0.2 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/metadata-factory@2.1.6 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/languages@2.1.6 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: aura-helper-cli@JJLongoria/aura-helper-cli#2d795e200557b12c23c32c8f4c00dc364eac0db4 @aurahelper/connector@2.3.0 @aurahelper/package-generator@2.1.1 @aurahelper/ignore@2.0.1 @aurahelper/xml-compressor@2.0.2 @aurahelper/xml-definitions@2.0.1 @aurahelper/core@2.7.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

Missing Release of Resource after Effective Lifetime vulnerability report