mean

MEAN.io: A fullstack JavaScript framework powered by MongoDB, ExpressJS, AngularJS, NodeJS.

Known vulnerabilities1
Vulnerable paths2
Dependencies768

Command Injection

high severity
  • Vulnerable module: shelljs
  • Introduced through: shelljs@0.7.6 and meanio@0.9.4

Detailed paths

  • Introduced through: mean@linnovate/mean#3c59ef573cad4bf99a08d31e57e003d2448366e6 shelljs@0.7.6
  • Introduced through: mean@linnovate/mean#3c59ef573cad4bf99a08d31e57e003d2448366e6 meanio@0.9.4 shelljs@0.7.6

Overview

shelljs is a portable Unix shell commands for Node.js. It is possible to invoke commands from shell.exec() from external sources, allowing an attacker to inject arbitrary commands.

Remediation

There is no fix version for shelljs.

References

Regular Expression Denial of Service

Vulnerability patched for: meanio@0.9.4.

low severity
  • Vulnerable module: uglify-js
  • Introduced through: meanio@0.9.4

Detailed paths

  • Introduced through: mean@linnovate/mean#3c59ef573cad4bf99a08d31e57e003d2448366e6 meanio@0.9.4 swig@1.4.2 uglify-js@2.4.24

Overview

The parse() function in the uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.

Details

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1

Remediation

Upgrade to version 2.6.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References