Vulnerabilities

 3 via 3 paths

Dependencies

 443

Source

 GitHub

Commit

 7a4def8a

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 3
  • 13
Severity
  • 2
  • 14
Status
  • 16
  • 0
  • 0

high severity
new

Improper Verification of Cryptographic Signature

  • Vulnerable module: hono
  • Introduced through: hono@4.10.3

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e hono@4.10.3
    Remediation: Upgrade to hono@4.11.4.

Overview

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the JWT verification middleware fallback on unverified JWT header when alg field is not present. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use unsafe symmetric algorithms for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

Remediation

Upgrade hono to version 4.11.4 or higher.

References

Improper Verification of Cryptographic Signature vulnerability report

high severity
new

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: hono
  • Introduced through: hono@4.10.3

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e hono@4.10.3
    Remediation: Upgrade to hono@4.11.4.

Overview

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the JWT verification middleware using unsafe default fallback algorithm. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use default HS256 algorithm for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

Remediation

Upgrade hono to version 4.11.4 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: undici
  • Introduced through: @xhayper/discord-rpc@1.3.0

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @xhayper/discord-rpc@1.3.0 @discordjs/rest@2.6.0 undici@6.21.3

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP responses with a large number of chained compression steps in the Content-Encoding header.

Remediation

Upgrade undici to version 6.23.0, 7.18.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

MPL-2.0 license

  • Module: @dehoist/romanize-thai
  • Introduced through: @dehoist/romanize-thai@1.0.0

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @dehoist/romanize-thai@1.0.0

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @ghostery/adblocker
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @ghostery/adblocker-content
  • Introduced through: @ghostery/adblocker-electron-preload@2.11.6 and @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron-preload@2.11.6 @ghostery/adblocker-content@2.13.4
  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @ghostery/adblocker-content@2.13.4
  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker-electron-preload@2.13.4 @ghostery/adblocker-content@2.13.4

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @ghostery/adblocker-electron
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @ghostery/adblocker-electron-preload
  • Introduced through: @ghostery/adblocker-electron@2.11.6 and @ghostery/adblocker-electron-preload@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker-electron-preload@2.13.4
  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron-preload@2.11.6

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @ghostery/adblocker-extended-selectors
  • Introduced through: @ghostery/adblocker-electron-preload@2.11.6 and @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron-preload@2.11.6 @ghostery/adblocker-content@2.13.4 @ghostery/adblocker-extended-selectors@2.13.4
  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @ghostery/adblocker-extended-selectors@2.13.4
  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @ghostery/adblocker-content@2.13.4 @ghostery/adblocker-extended-selectors@2.13.4
  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker-electron-preload@2.13.4 @ghostery/adblocker-content@2.13.4 @ghostery/adblocker-extended-selectors@2.13.4

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @ghostery/url-parser
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @ghostery/url-parser@1.3.1

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @remusao/guess-url-type
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @remusao/guess-url-type@2.1.0

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @remusao/small
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @remusao/small@2.1.0

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @remusao/smaz
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @remusao/smaz@2.2.0

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @remusao/smaz-compress
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @remusao/smaz@2.2.0 @remusao/smaz-compress@2.2.0

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @remusao/smaz-decompress
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @remusao/smaz@2.2.0 @remusao/smaz-decompress@2.2.0

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

MPL-2.0 license

  • Module: @remusao/trie
  • Introduced through: @ghostery/adblocker-electron@2.11.6

Detailed paths

  • Introduced through: youtube-music@pear-devs/pear-desktop#7a4def8acc3ef0c55e89be418c7b3299a78c3a5e @ghostery/adblocker-electron@2.11.6 @ghostery/adblocker@2.13.4 @remusao/smaz@2.2.0 @remusao/smaz-compress@2.2.0 @remusao/trie@2.1.0

MPL-2.0 license

MPL-2.0 license vulnerability report