Vulnerabilities |
2 via 3 paths |
|---|---|
Dependencies |
201 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: brace-expansion
- Introduced through: babel-plugin-module-resolver@5.0.3
Detailed paths
-
Introduced through: react-native-testing-mocks@JoseLion/react-native-testing-mocks › babel-plugin-module-resolver@5.0.3 › glob@9.3.5 › minimatch@8.0.7 › brace-expansion@2.1.2
Overview
brace-expansion is a Brace expansion as known from sh/bash
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the expand function. An attacker can cause excessive CPU consumption and block the event loop by supplying a specially crafted string containing multiple consecutive non-expanding '{}' brace groups. The max option does not prevent this issue, as it only limits the output size and not the computational workload.
Remediation
Upgrade brace-expansion to version 5.0.7 or higher.
References
medium severity
- Vulnerable module: elliptic
- Introduced through: rewiremock@3.14.6
Detailed paths
-
Introduced through: react-native-testing-mocks@JoseLion/react-native-testing-mocks › rewiremock@3.14.6 › node-libs-browser@2.2.1 › crypto-browserify@3.12.1 › browserify-sign@4.2.6 › elliptic@6.6.1
-
Introduced through: react-native-testing-mocks@JoseLion/react-native-testing-mocks › rewiremock@3.14.6 › node-libs-browser@2.2.1 › crypto-browserify@3.12.1 › create-ecdh@4.0.4 › elliptic@6.6.1
Overview
elliptic is a fast elliptic-curve cryptography implementation in plain javascript.
Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leading zeros resulting in its truncation. An attacker can obtain the secret key by analyzing both a faulty signature generated by a vulnerable implementation and a correct signature for the same inputs.
Note:
There is a distinct but related issue CVE-2024-48948.
Remediation
There is no fixed version for elliptic.