Vulnerabilities

 3 via 3 paths

Dependencies

 27

Source

 GitHub

Commit

 0d8d49df

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 3
Status
  • 3
  • 0
  • 0

medium severity
new

Inefficient Algorithmic Complexity

  • Vulnerable module: js-yaml
  • Introduced through: rc-yaml@2.0.0

Detailed paths

  • Introduced through: lifx-client@MrRacoon/lifx-client#0d8d49df8b7111af08b7bfbd6dc4b1665505da45 rc-yaml@2.0.0 js-yaml@3.14.2

Overview

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the storeMappingPair() function in loader.js when handling repeated aliases in merge sequences. An attacker can exhaust CPU resources and significantly degrade service availability by submitting malicious YAML documents.

Remediation

Upgrade js-yaml to version 4.2.0 or higher.

References

Inefficient Algorithmic Complexity vulnerability report

medium severity

Information Exposure

  • Vulnerable module: node-fetch
  • Introduced through: isomorphic-fetch@2.2.1

Detailed paths

  • Introduced through: lifx-client@MrRacoon/lifx-client#0d8d49df8b7111af08b7bfbd6dc4b1665505da45 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to isomorphic-fetch@3.0.0.

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Remediation

Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

References

Information Exposure vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node-fetch
  • Introduced through: isomorphic-fetch@2.2.1

Detailed paths

  • Introduced through: lifx-client@MrRacoon/lifx-client#0d8d49df8b7111af08b7bfbd6dc4b1665505da45 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to isomorphic-fetch@3.0.0.

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service (DoS). Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

Remediation

Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.

References

Denial of Service (DoS) vulnerability report