react-scripts-4.0.3.tgz: 53 vulnerabilities (highest severity is: 10.0) #1751
Description
Vulnerable Library - react-scripts-4.0.3.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (react-scripts version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-6545 |  Critical |
10.0 | pbkdf2-3.1.2.tgz | Transitive | 5.0.0 | ❌ |
| WS-2021-0153 | Critical |
9.8 | ejs-2.7.4.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-61140 | Critical |
9.8 | jsonpath-1.1.1.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37601 | Critical |
9.8 | loader-utils-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-29078 | Critical |
9.8 | ejs-2.7.4.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-42740 | Critical |
9.8 | shell-quote-1.7.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3757 | Critical |
9.8 | immer-8.0.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-29415 | Critical |
9.1 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2026-23950 |  High |
8.8 | tar-6.2.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2024-33883 | High |
8.8 | ejs-2.7.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-9288 | High |
8.7 | sha.js-2.4.11.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-7783 | High |
8.7 | form-data-3.0.3.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-12816 | High |
8.6 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2026-24842 | High |
8.2 | tar-6.2.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-66031 | High |
7.5 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-15284 | High |
7.5 | detected in multiple dependencies | Transitive | 5.0.0 | ❌ |
| CVE-2024-4068 | High |
7.5 | braces-2.3.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21538 | High |
7.5 | cross-spawn-7.0.3.tgz | Transitive | N/A* | ❌ |
| CVE-2024-21536 | High |
7.5 | http-proxy-middleware-0.19.1.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37603 | High |
7.5 | loader-utils-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-37599 | High |
7.5 | loader-utils-2.0.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24772 | High |
7.5 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24771 | High |
7.5 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-3803 | High |
7.5 | nth-check-1.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23424 | High |
7.5 | ansi-html-0.0.7.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2024-29180 | High |
7.4 | webpack-dev-middleware-3.7.3.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-13465 | High |
7.2 | lodash-4.17.21.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23337 | High |
7.2 | lodash.template-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-23745 | High |
7.1 | tar-6.2.1.tgz | Transitive | N/A* | ❌ |
| CVE-2025-6547 |  Medium |
6.8 | pbkdf2-3.1.2.tgz | Transitive | 5.0.0 | ❌ |
| WS-2022-0008 | Medium |
6.6 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-30360 | Medium |
6.5 | webpack-dev-server-3.11.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-43788 | Medium |
6.4 | webpack-4.44.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2024-47068 | Medium |
6.1 | rollup-1.32.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-0122 | Medium |
6.1 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-23436 | Medium |
5.6 | immer-8.0.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-11831 | Medium |
5.4 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-66030 | Medium |
5.3 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-64718 | Medium |
5.3 | js-yaml-3.14.1.tgz | Transitive | N/A* | ❌ |
| CVE-2025-30359 | Medium |
5.3 | webpack-dev-server-3.11.1.tgz | Transitive | N/A* | ❌ |
| CVE-2024-4067 | Medium |
5.3 | micromatch-3.1.10.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2023-44270 | Medium |
5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-25883 | Medium |
5.3 | semver-7.3.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2022-24773 | Medium |
5.3 | node-forge-0.10.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2021-23364 | Medium |
5.3 | browserslist-4.14.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2020-28469 | Medium |
5.3 | glob-parent-3.1.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-32997 | Medium |
4.0 | http-proxy-middleware-0.19.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-32996 | Medium |
4.0 | http-proxy-middleware-0.19.1.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-7339 |  Low |
3.4 | on-headers-1.0.2.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2025-59437 | Low |
3.2 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59436 | Low |
3.2 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2025-5889 | Low |
3.1 | brace-expansion-1.1.11.tgz | Transitive | 5.0.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2025-6545
Vulnerable Library - pbkdf2-3.1.2.tgz
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz
Path to dependency file: /blockchain_integration/pi_network/package.json
Path to vulnerable library: /blockchain_integration/pi_network/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiRide/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/pbkdf2/package.json,/projects/oracle-nexus/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/smartship/node_modules/pbkdf2/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/pbkdf2/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-4.44.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.1.tgz
- ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)
- crypto-browserify-3.12.1.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.44.2.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-23
URL: CVE-2025-6545
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h7cp-r72f-jxh6
Release Date: 2025-06-23
Fix Resolution (pbkdf2): 3.1.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
WS-2021-0153
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/ejs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- workbox-webpack-plugin-5.1.4.tgz
- workbox-build-5.1.4.tgz
- rollup-plugin-off-main-thread-1.4.2.tgz
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-1.4.2.tgz
- workbox-build-5.1.4.tgz
- workbox-webpack-plugin-5.1.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-61140
Vulnerable Library - jsonpath-1.1.1.tgz
Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js.
Library home page: https://registry.npmjs.org/jsonpath/-/jsonpath-1.1.1.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/jsonpath/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/jsonpath/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- bfj-7.1.0.tgz
- ❌ jsonpath-1.1.1.tgz (Vulnerable Library)
- bfj-7.1.0.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Publish Date: 2026-01-28
URL: CVE-2025-61140
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6c59-mwgh-r2x6
Release Date: 2026-01-28
Fix Resolution: jsonpath - 1.2.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/react-dev-utils/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ loader-utils-2.0.0.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 2.0.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-29078
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/ejs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- workbox-webpack-plugin-5.1.4.tgz
- workbox-build-5.1.4.tgz
- rollup-plugin-off-main-thread-1.4.2.tgz
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-1.4.2.tgz
- workbox-build-5.1.4.tgz
- workbox-webpack-plugin-5.1.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-42740
Vulnerable Library - shell-quote-1.7.2.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/shell-quote/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/shell-quote/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ shell-quote-1.7.2.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3757
Vulnerable Library - immer-8.0.1.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/immer/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/immer/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
- ❌ immer-8.0.1.tgz (Vulnerable Library)
- react-dev-utils-11.0.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c36v-fmgq-m8hx
Release Date: 2021-09-02
Fix Resolution: immer - 9.0.6,immer - 9.0.6
Step up your Open Source Security Game with Mend here
CVE-2024-29415
Vulnerable Library - ip-1.1.9.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/ip/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/ip/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- ❌ ip-1.1.9.tgz (Vulnerable Library)
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.
Publish Date: 2024-05-27
URL: CVE-2024-29415
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2026-23950
Vulnerable Library - tar-6.2.1.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-6.2.1.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/tar/package.json,/blockchain_integration/pi_network/smartship/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/tar/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- terser-webpack-plugin-4.2.3.tgz
- cacache-15.3.0.tgz
- ❌ tar-6.2.1.tgz (Vulnerable Library)
- cacache-15.3.0.tgz
- terser-webpack-plugin-4.2.3.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution (tar): 7.5.4
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2024-33883
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/ejs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- workbox-webpack-plugin-5.1.4.tgz
- workbox-build-5.1.4.tgz
- rollup-plugin-off-main-thread-1.4.2.tgz
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-1.4.2.tgz
- workbox-build-5.1.4.tgz
- workbox-webpack-plugin-5.1.4.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: 2024-04-28
URL: CVE-2024-33883
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: 2024-04-28
Fix Resolution: ejs - 3.1.10
Step up your Open Source Security Game with Mend here
CVE-2025-9288
Vulnerable Library - sha.js-2.4.11.tgz
Streamable SHA hashes in pure javascript
Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz
Path to dependency file: /blockchain_integration/pi_network/contracts/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-4.44.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.1.tgz
- create-hash-1.2.0.tgz
- ❌ sha.js-2.4.11.tgz (Vulnerable Library)
- create-hash-1.2.0.tgz
- crypto-browserify-3.12.1.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.44.2.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.
Publish Date: 2025-08-20
URL: CVE-2025-9288
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-20
Fix Resolution (sha.js): 2.4.12
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-7783
Vulnerable Library - form-data-3.0.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.3.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/form-data/package.json,/blockchain_integration/pi_network/PiShield/node_modules/form-data/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/form-data/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/form-data/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- jest-26.6.0.tgz
- jest-cli-26.6.3.tgz
- jest-config-26.6.3.tgz
- jest-environment-jsdom-26.6.2.tgz
- jsdom-16.7.0.tgz
- ❌ form-data-3.0.3.tgz (Vulnerable Library)
- jsdom-16.7.0.tgz
- jest-environment-jsdom-26.6.2.tgz
- jest-config-26.6.3.tgz
- jest-cli-26.6.3.tgz
- jest-26.6.0.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution (form-data): 3.0.4
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-12816
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/node-forge/package.json,/projects/PiWalletBot/node_modules/node-forge/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- selfsigned-1.10.14.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.14.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-24842
Vulnerable Library - tar-6.2.1.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-6.2.1.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/tar/package.json,/blockchain_integration/pi_network/smartship/node_modules/tar/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/tar/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- terser-webpack-plugin-4.2.3.tgz
- cacache-15.3.0.tgz
- ❌ tar-6.2.1.tgz (Vulnerable Library)
- cacache-15.3.0.tgz
- terser-webpack-plugin-4.2.3.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution (tar): 7.5.7
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-66031
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/node-forge/package.json,/projects/PiWalletBot/node_modules/node-forge/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- selfsigned-1.10.14.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.14.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-15284
Vulnerable Libraries - qs-6.14.0.tgz, qs-6.13.0.tgz
qs-6.14.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.14.0.tgz
Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/package.json
Path to vulnerable library: /blockchain_integration/pi_network/pi-browser-app/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/qs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- url-0.11.4.tgz
- ❌ qs-6.14.0.tgz (Vulnerable Library)
- url-0.11.4.tgz
- webpack-dev-server-3.11.1.tgz
qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /blockchain_integration/pi_network/PiRide/package.json
Path to vulnerable library: /blockchain_integration/pi_network/PiRide/node_modules/qs/package.json,/blockchain_integration/pi_network/node_modules/qs/package.json,/server/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/body-parser/node_modules/qs/package.json,/pi-nexus-api/node_modules/qs/package.json,/ai-financial-advisor/node_modules/qs/package.json,/projects/oracle-nexus/node_modules/qs/package.json,/projects/PiWalletBot/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/qs/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/qs/package.json,/blockchain_integration/pi_network/onramp-pi/node_modules/qs/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/qs/package.json,/blockchain_integration/pi_network/smartship/node_modules/qs/package.json,/projects/Nexarion/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy:
- react-scripts-4.0.3.tgz (Root Library)
- webpack-dev-server-3.11.1.tgz
- express-4.21.2.tgz
- ❌ qs-6.13.0.tgz (Vulnerable Library)
- express-4.21.2.tgz
- webpack-dev-server-3.11.1.tgz
Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:
- arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
- Use bracket notation: a[]=value (not indexed a[0]=value)
ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
Attack scenario: - Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
- Application parses with qs.parse(query, { arrayLimit: 100 })
- qs ignores limit, parses all 100,000 elements into array
- Server memory exhausted → application crashes or becomes unresponsive
- Service unavailable for all users
Real-world impact: - Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation
Publish Date: 2025-12-29
URL: CVE-2025-15284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: 2025-12-29
Fix Resolution (qs): 6.14.1
Direct dependency fix Resolution (react-scripts): 5.0.0
Fix Resolution (qs): 6.14.1
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend here