Vulnerabilities

 2 via 2 paths

Dependencies

 62

Source

 GitHub

Commit

 010b08c6

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

critical severity

Predictable Value Range from Previous Values

  • Vulnerable module: form-data
  • Introduced through: form-data@3.0.0

Detailed paths

  • Introduced through: @bifravst/firmware-ci@bifravst/firmware-ci#010b08c6b02b707ea30e6bb97e9a3c0a0a376e4c form-data@3.0.0
    Remediation: Upgrade to form-data@3.0.4.

Overview

Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.

Remediation

Upgrade form-data to version 2.5.4, 3.0.4, 4.0.4 or higher.

References

Predictable Value Range from Previous Values vulnerability report

medium severity

Information Exposure

  • Vulnerable module: node-fetch
  • Introduced through: node-fetch@2.6.1

Detailed paths

  • Introduced through: @bifravst/firmware-ci@bifravst/firmware-ci#010b08c6b02b707ea30e6bb97e9a3c0a0a376e4c node-fetch@2.6.1
    Remediation: Upgrade to node-fetch@2.6.7.

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Remediation

Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

References

Information Exposure vulnerability report