Vulnerabilities

 2 via 4 paths

Dependencies

 51

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: ssh2
  • Introduced through: sftp-resolver-fs@2.0.4

Detailed paths

  • Introduced through: url-cmd@arlac77/url-cmd sftp-resolver-fs@2.0.4 ssh2-sftp-client@2.5.2 ssh2@0.8.9

Overview

ssh2 is a SSH2 client and server modules written in pure JavaScript for node.js.

Affected versions of this package are vulnerable to Command Injection. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

Upgrade ssh2 to version 1.0.0 or higher.

References

Command Injection vulnerability report

medium severity

Incorrect Control Flow Scoping

  • Vulnerable module: @tootallnate/once
  • Introduced through: url-resolver-fs@8.0.6, fs-resolver-fs@7.0.1 and others

Detailed paths

  • Introduced through: url-cmd@arlac77/url-cmd url-resolver-fs@8.0.6 http-proxy-agent@4.0.1 @tootallnate/once@1.1.2
  • Introduced through: url-cmd@arlac77/url-cmd fs-resolver-fs@7.0.1 url-resolver-fs@8.0.6 http-proxy-agent@4.0.1 @tootallnate/once@1.1.2
  • Introduced through: url-cmd@arlac77/url-cmd svn-dav-fs@7.0.0 url-resolver-fs@8.0.6 http-proxy-agent@4.0.1 @tootallnate/once@1.1.2

Overview

Affected versions of this package are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

Remediation

Upgrade @tootallnate/once to version 2.0.1, 3.0.1 or higher.

References

Incorrect Control Flow Scoping vulnerability report