ganache-cli-6.12.2.tgz: 18 vulnerabilities (highest severity is: 10.0) #1745
Description
Vulnerable Library - ganache-cli-6.12.2.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/secp256k1/package.json
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (ganache-cli version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-6545 |  Critical |
10.0 | pbkdf2-3.1.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-48949 | Critical |
9.1 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2025-9288 |  High |
8.7 | sha.js-2.4.11.tgz | Transitive | N/A* | ❌ |
| CVE-2025-9287 | High |
8.7 | cipher-base-1.0.4.tgz | Transitive | N/A* | ❌ |
| WS-2025-0006 | High |
8.6 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2025-27611 | High |
7.5 | base-x-3.0.8.tgz | Transitive | N/A* | ❌ |
| CVE-2024-48930 | High |
7.5 | secp256k1-4.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21538 | High |
7.5 | cross-spawn-6.0.5.tgz | Transitive | N/A* | ❌ |
| CVE-2021-3807 | High |
7.5 | ansi-regex-4.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2020-7774 | High |
7.3 | y18n-4.0.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-6547 |  Medium |
6.8 | pbkdf2-3.1.1.tgz | Transitive | N/A* | ❌ |
| CVE-2020-28498 | Medium |
6.8 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2025-14505 | Medium |
5.6 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2024-42461 | Medium |
5.3 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2024-42460 | Medium |
5.3 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2024-42459 | Medium |
5.3 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25883 | Medium |
5.3 | semver-5.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-48948 | Medium |
4.8 | elliptic-6.5.3.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-6545
Vulnerable Library - pbkdf2-3.1.1.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.1.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ pbkdf2-3.1.1.tgz (Vulnerable Library)
- ethereum-cryptography-0.1.3.tgz
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-23
URL: CVE-2025-6545
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h7cp-r72f-jxh6
Release Date: 2025-06-23
Fix Resolution: pbkdf2 - 3.1.3,https://github.com/browserify/pbkdf2.git - v3.1.3
Step up your Open Source Security Game with Mend here
CVE-2024-48949
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
Publish Date: 2024-10-10
URL: CVE-2024-48949
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949
Release Date: 2024-10-10
Fix Resolution: elliptic - 6.5.6
Step up your Open Source Security Game with Mend here
CVE-2025-9288
Vulnerable Library - sha.js-2.4.11.tgz
Streamable SHA hashes in pure javascript
Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz
Path to dependency file: /blockchain_integration/pi_network/contracts/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- create-hash-1.2.0.tgz
- ❌ sha.js-2.4.11.tgz (Vulnerable Library)
- create-hash-1.2.0.tgz
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.
Publish Date: 2025-08-20
URL: CVE-2025-9288
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-20
Fix Resolution: https://github.com/browserify/sha.js.git - v2.4.12,sha.js - 2.4.12
Step up your Open Source Security Game with Mend here
CVE-2025-9287
Vulnerable Library - cipher-base-1.0.4.tgz
abstract base class for crypto-streams
Library home page: https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/cipher-base/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- create-hash-1.2.0.tgz
- ❌ cipher-base-1.0.4.tgz (Vulnerable Library)
- create-hash-1.2.0.tgz
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.
Publish Date: 2025-08-20
URL: CVE-2025-9287
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cpq7-6gpm-g9rc
Release Date: 2025-08-20
Fix Resolution: cipher-base - 1.0.4
Step up your Open Source Security Game with Mend here
WS-2025-0006
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input Note that "elliptic" by design accepts hex strings as one of the possible input types Details In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107 "msg" is a BN instance after conversion, but "nonce" is an array, and different BN instances could generate equivalent arrays after conversion. Meaning that a same "nonce" could be generated for different messages used in signing process, leading to "k" reuse, leading to private key extraction from a pair of signatures Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still should not leak the private key Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain PoC "k" reuse example import elliptic from 'elliptic' const { ec: EC } = elliptic const privateKey = crypto.getRandomValues(new Uint8Array(32)) const curve = 'ed25519' // or any other curve, e.g. secp256k1 const ec = new EC(curve) const prettyprint = ({ r, s }) => "r: ${r}, s: ${s}" const sig0 = prettyprint(ec.sign(Buffer.alloc(32, 1), privateKey)) // array of ones const sig1 = prettyprint(ec.sign('01'.repeat(32), privateKey)) // same message in hex form const sig2 = prettyprint(ec.sign('-' + '01'.repeat(32), privateKey)) // same "r", different "s" console.log({ sig0, sig1, sig2 }) Full attack This doesn't include code for generation/recovery on a purpose (bit it's rather trivial) import elliptic from 'elliptic' const { ec: EC } = elliptic const privateKey = crypto.getRandomValues(new Uint8Array(32)) const curve = 'secp256k1' // or any other curve, e.g. ed25519 const ec = new EC(curve) // Any message, e.g. previously known signature const msg0 = crypto.getRandomValues(new Uint8Array(32)) const sig0 = ec.sign(msg0, privateKey) // Attack const msg1 = funny(msg0) // this is a string here, but can also be of other non-Uint8Array types const sig1 = ec.sign(msg1, privateKey) const something = extract(msg0, sig0, sig1, curve) console.log('Curve:', curve) console.log('Typeof:', typeof msg1) console.log('Keys equal?', Buffer.from(privateKey).toString('hex') === something) const rnd = crypto.getRandomValues(new Uint8Array(32)) const st = (x) => JSON.stringify(x) console.log('Keys equivalent?', st(ec.sign(rnd, something).toDER()) === st(ec.sign(rnd, privateKey).toDER())) console.log('Orig key:', Buffer.from(privateKey).toString('hex')) console.log('Restored:', something) Output: Curve: secp256k1 Typeof: string Keys equal? true Keys equivalent? true Orig key: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a Restored: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a Similar for "ed25519", but due to low "n", the key might not match precisely but is nevertheless equivalent for signing: Curve: ed25519 Typeof: string Keys equal? false Keys equivalent? true Orig key: f1ce0e4395592f4de24f6423099e022925ad5d2d7039b614aaffdbb194a0d189 Restored: 01ce0e4395592f4de24f6423099e0227ec9cb921e3b7858581ec0d26223966a6 "restored" is equal to "orig" mod "N". Impact Full private key extraction when signing a single malicious message (that passes "JSON.stringify"/"JSON.parse")
Publish Date: 2025-02-11
URL: WS-2025-0006
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vjh7-7g9h-fjfh
Release Date: 2025-02-11
Fix Resolution: elliptic - 6.6.1,elliptic - 6.6.1
Step up your Open Source Security Game with Mend here
CVE-2025-27611
Vulnerable Library - base-x-3.0.8.tgz
Fast base encoding / decoding of any given alphabet
Library home page: https://registry.npmjs.org/base-x/-/base-x-3.0.8.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/base-x/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ethereum-cryptography-0.1.3.tgz
- bs58check-2.1.2.tgz
- bs58-4.0.1.tgz
- ❌ base-x-3.0.8.tgz (Vulnerable Library)
- bs58-4.0.1.tgz
- bs58check-2.1.2.tgz
- ethereum-cryptography-0.1.3.tgz
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1.
Publish Date: 2025-04-30
URL: CVE-2025-27611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq7p-g2vc-g82p
Release Date: 2025-04-30
Fix Resolution: https://github.com/cryptocoinjs/base-x.git - v5.0.1,base-x - 5.0.1,base-x - 4.0.1,base-x - 3.0.11,https://github.com/cryptocoinjs/base-x.git - v4.0.1,https://github.com/cryptocoinjs/base-x.git - v3.0.11
Step up your Open Source Security Game with Mend here
CVE-2024-48930
Vulnerable Library - secp256k1-4.0.2.tgz
This module provides native bindings to ecdsa secp256k1 functions
Library home page: https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.2.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/secp256k1/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ secp256k1-4.0.2.tgz (Vulnerable Library)
- ethereum-cryptography-0.1.3.tgz
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In "elliptic"-based version, "loadUncompressedPublicKey" has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, "loadCompressedPublicKey" is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. "publicKeyVerify()" incorrectly returning "true" on those invalid keys, and e.g. "publicKeyTweakMul()" also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.
Publish Date: 2024-10-21
URL: CVE-2024-48930
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-584q-6j8j-r5pm
Release Date: 2024-10-21
Fix Resolution: secp256k1 - 5.0.1,secp256k1 - 3.8.1,secp256k1 - 4.0.4
Step up your Open Source Security Game with Mend here
CVE-2024-21538
Vulnerable Library - cross-spawn-6.0.5.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/cross-spawn/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- yargs-13.2.4.tgz
- os-locale-3.1.0.tgz
- execa-1.0.0.tgz
- ❌ cross-spawn-6.0.5.tgz (Vulnerable Library)
- execa-1.0.0.tgz
- os-locale-3.1.0.tgz
- yargs-13.2.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: org.webjars.npm:cross-spawn:6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,cross-spawn - 7.0.5,cross-spawn - 6.0.6
Step up your Open Source Security Game with Mend here
CVE-2021-3807
Vulnerable Library - ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/ansi-regex/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- yargs-13.2.4.tgz
- cliui-5.0.0.tgz
- strip-ansi-5.2.0.tgz
- ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)
- strip-ansi-5.2.0.tgz
- cliui-5.0.0.tgz
- yargs-13.2.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-93q8-gq69-wqmw
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,ansi-regex - 3.0.1,ansi-regex - 6.0.1,ansi-regex - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2020-7774
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/y18n/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- yargs-13.2.4.tgz
- ❌ y18n-4.0.0.tgz (Vulnerable Library)
- yargs-13.2.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with Mend here
CVE-2025-6547
Vulnerable Library - pbkdf2-3.1.1.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.1.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ethereum-cryptography-0.1.3.tgz
- ❌ pbkdf2-3.1.1.tgz (Vulnerable Library)
- ethereum-cryptography-0.1.3.tgz
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
Publish Date: 2025-06-23
URL: CVE-2025-6547
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v62p-rq8g-8h59
Release Date: 2025-06-23
Fix Resolution: https://github.com/browserify/pbkdf2.git - v3.1.3,pbkdf2 - 3.1.3
Step up your Open Source Security Game with Mend here
CVE-2020-28498
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: elliptic - 6.5.4
Step up your Open Source Security Game with Mend here
CVE-2025-14505
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).
Publish Date: 2026-01-08
URL: CVE-2025-14505
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2024-42461
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
Publish Date: 2024-08-02
URL: CVE-2024-42461
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-49q7-c7j4-3p7m
Release Date: 2024-08-02
Fix Resolution: elliptic - 6.5.7,elliptic - 6.5.7
Step up your Open Source Security Game with Mend here
CVE-2024-42460
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.
Publish Date: 2024-08-02
URL: CVE-2024-42460
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-977x-g7h5-7qgw
Release Date: 2024-08-02
Fix Resolution: elliptic - 6.5.7,elliptic - 6.5.7
Step up your Open Source Security Game with Mend here
CVE-2024-42459
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
Publish Date: 2024-08-02
URL: CVE-2024-42459
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-f7q4-pwc6-w24p
Release Date: 2024-08-02
Fix Resolution: elliptic - 6.5.7,elliptic - 6.5.7
Step up your Open Source Security Game with Mend here
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/semver/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- yargs-13.2.4.tgz
- os-locale-3.1.0.tgz
- execa-1.0.0.tgz
- cross-spawn-6.0.5.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
- cross-spawn-6.0.5.tgz
- execa-1.0.0.tgz
- os-locale-3.1.0.tgz
- yargs-13.2.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Step up your Open Source Security Game with Mend here
CVE-2024-48948
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json
Dependency Hierarchy:
- ganache-cli-6.12.2.tgz (Root Library)
- ethereumjs-util-6.2.1.tgz
- ❌ elliptic-6.5.3.tgz (Vulnerable Library)
- ethereumjs-util-6.2.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
Publish Date: 2024-10-15
URL: CVE-2024-48948
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-fc9h-whq2-v747
Release Date: 2024-10-15
Fix Resolution: elliptic - 6.6.0
Step up your Open Source Security Game with Mend here