Skip to main content

Test Results

jeremyckahn/chitchatter:package.json

Vulnerabilities

 2 via 3 paths

Dependencies

 746

Source

 GitHub

Commit

 28792bae

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 1
Severity
  • 2
  • 1
Status
  • 3
  • 0
  • 0

medium severity

Server-Side Request Forgery (SSRF)

  • Vulnerable module: ip
  • Introduced through: secure-file-transfer@0.0.8

Detailed paths

  • Introduced through: chitchatter@jeremyckahn/chitchatter#28792baeda471e507227ca252bd4374fc6551839 secure-file-transfer@0.0.8 webtorrent@1.9.7 load-ip-set@2.2.1 ip-set@2.2.0 ip@2.0.1
  • Introduced through: chitchatter@jeremyckahn/chitchatter#28792baeda471e507227ca252bd4374fc6551839 secure-file-transfer@0.0.8 webtorrent@1.9.7 torrent-discovery@9.4.15 bittorrent-tracker@9.19.0 ip@1.1.9

Overview

ip is a Node library.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the isPublic function, which identifies some private IP addresses as public addresses due to improper parsing of the input. An attacker can manipulate a system that uses isLoopback(), isPrivate() and isPublic functions to guard outgoing network requests to treat certain IP addresses as globally routable by supplying specially crafted IP addresses.

Note

This vulnerability derived from an incomplete fix for CVE-2023-42282

Remediation

There is no fixed version for ip.

References

Server-Side Request Forgery (SSRF) vulnerability report

medium severity
new

MPL-2.0 license

  • Module: node-datachannel
  • Introduced through: trystero@0.20.1

Detailed paths

  • Introduced through: chitchatter@jeremyckahn/chitchatter#28792baeda471e507227ca252bd4374fc6551839 trystero@0.20.1 @thaunknown/simple-peer@10.0.11 webrtc-polyfill@1.1.10 node-datachannel@0.12.0

MPL-2.0 license

MPL-2.0 license vulnerability report

low severity
new

Arbitrary Code Injection

  • Vulnerable module: prismjs
  • Introduced through: react-syntax-highlighter@15.6.1

Detailed paths

  • Introduced through: chitchatter@jeremyckahn/chitchatter#28792baeda471e507227ca252bd4374fc6551839 react-syntax-highlighter@15.6.1 refractor@3.6.0 prismjs@1.27.0

Overview

prismjs is a lightweight, robust, elegant syntax highlighting library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the document.currentScript lookup process. An attacker can manipulate the web page content and execute unintended actions by injecting HTML elements that overshadow legitimate DOM elements.

Note:

This is only exploitable if the application accepts untrusted input containing HTML but not direct JavaScript.

Remediation

Upgrade prismjs to version 1.30.0 or higher.

References

Arbitrary Code Injection vulnerability report