meanio@0.9.4

Extracted functionality for MEAN.io.

Known vulnerabilities1
Vulnerable paths1
Dependencies439

Command Injection

high severity
  • Vulnerable module: shelljs
  • Introduced through: shelljs@0.7.7

Detailed paths

  • Introduced through: meanio@0.9.4 shelljs@0.7.7

Overview

shelljs is a portable Unix shell commands for Node.js. It is possible to invoke commands from shell.exec() from external sources, allowing an attacker to inject arbitrary commands.

Remediation

There is no fix version for shelljs.

References

Regular Expression Denial of Service (DoS)

Vulnerability patched for: swig@1.4.2.

medium severity
  • Vulnerable module: uglify-js
  • Introduced through: swig@1.4.2

Detailed paths

  • Introduced through: meanio@0.9.4 swig@1.4.2 uglify-js@2.4.24

Overview

The parse() function in the uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.

Details

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1

Remediation

Upgrade to version 2.6.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References