Vulnerabilities

2 via 3 paths

Dependencies

201

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity
new

Inefficient Algorithmic Complexity

  • Vulnerable module: brace-expansion
  • Introduced through: babel-plugin-module-resolver@5.0.3

Detailed paths

  • Introduced through: react-native-testing-mocks@JoseLion/react-native-testing-mocks babel-plugin-module-resolver@5.0.3 glob@9.3.5 minimatch@8.0.7 brace-expansion@2.1.2

Overview

brace-expansion is a Brace expansion as known from sh/bash

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the expand function. An attacker can cause excessive CPU consumption and block the event loop by supplying a specially crafted string containing multiple consecutive non-expanding '{}' brace groups. The max option does not prevent this issue, as it only limits the output size and not the computational workload.

Remediation

Upgrade brace-expansion to version 5.0.7 or higher.

References

medium severity

Use of a Cryptographic Primitive with a Risky Implementation

  • Vulnerable module: elliptic
  • Introduced through: rewiremock@3.14.6

Detailed paths

  • Introduced through: react-native-testing-mocks@JoseLion/react-native-testing-mocks rewiremock@3.14.6 node-libs-browser@2.2.1 crypto-browserify@3.12.1 browserify-sign@4.2.6 elliptic@6.6.1
  • Introduced through: react-native-testing-mocks@JoseLion/react-native-testing-mocks rewiremock@3.14.6 node-libs-browser@2.2.1 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1

Overview

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leading zeros resulting in its truncation. An attacker can obtain the secret key by analyzing both a faulty signature generated by a vulnerable implementation and a correct signature for the same inputs.

Note:

There is a distinct but related issue CVE-2024-48948.

Remediation

There is no fixed version for elliptic.

References