Skip to content

eslint-5.4.0.tgz: 12 vulnerabilities (highest severity is: 9.3) [master] #139

New issue
New issue
Open
Open
eslint-5.4.0.tgz: 12 vulnerabilities (highest severity is: 9.3) [master]#139
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 30, 2025
📂 Vulnerable Library - eslint-5.4.0.tgz

An AST-based pattern checker for JavaScript.

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint/package.json

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2019-15657 🟣 Critical 9.3 Not Defined 1.0% eslint-utils-1.3.1.tgz Transitive N/A
CVE-2021-3807 🔴 High 8.7 Not Defined < 1% ansi-regex-3.0.0.tgz Transitive N/A
CVE-2022-3517 🔴 High 8.7 Not Defined < 1% minimatch-3.0.4.tgz Transitive N/A
CVE-2020-8203 🔴 High 8.3 Not Defined 2.4% lodash-4.17.10.tgz Direct lodash - 4.17.19,lodash-es - 4.17.20
WS-2019-0063 🔴 High 8.1 N/A N/A js-yaml-3.12.0.tgz Transitive N/A
WS-2019-0032 🔴 High 7.5 N/A N/A js-yaml-3.12.0.tgz Transitive N/A
WS-2020-0042 🔴 High 7.5 N/A N/A acorn-5.7.1.tgz Transitive N/A
CVE-2021-23337 🔴 High 7.3 Proof of concept < 1% lodash-4.17.10.tgz Direct lodash-es - 4.17.21,lodash - 4.17.21
CVE-2019-1010266 🔴 High 7.1 Not Defined < 1% lodash-4.17.10.tgz Direct lodash-amd - 4.17.11,lodash-es - 4.17.11,lodash - 4.17.11
CVE-2020-15366 🟠 Medium 6.3 Not Defined < 1% ajv-6.5.2.tgz Transitive N/A
CVE-2020-28500 🟠 Medium 5.5 Proof of concept < 1% lodash-4.17.10.tgz Direct lodash - 4.17.21,lodash-es - 4.17.21
CVE-2025-54798 🟡 Low 2.0 Not Defined < 1% tmp-0.0.33.tgz Transitive N/A

Details

🟣CVE-2019-15657

Vulnerable Library - eslint-utils-1.3.1.tgz

Utilities for ESLint plugins.

Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint-utils/package.json

Dependency Hierarchy:

  • eslint-5.4.0.tgz (Root Library)
    • eslint-utils-1.3.1.tgz (Vulnerable Library)

Vulnerability Details

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

Publish Date: Aug 26, 2019 10:55 PM

URL: CVE-2019-15657

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.0%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-3gx7-xhv7-5mx3

Release Date: Aug 26, 2019 10:55 PM

Fix Resolution : eslint-utils - 1.4.1,https://github.com/mysticatea/eslint-utils.git - no_fix

🔴CVE-2021-3807

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pretty-format/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • lint-staged-7.2.2.tgz (Root Library)

    • jest-validate-23.5.0.tgz
      • pretty-format-23.5.0.tgz
        • ansi-regex-3.0.0.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • table-4.0.3.tgz
      • string-width-2.1.1.tgz
        • strip-ansi-4.0.0.tgz
          • ansi-regex-3.0.0.tgz (Vulnerable Library)

  • concurrently-4.0.1.tgz (Root Library)

    • yargs-12.0.1.tgz
      • cliui-4.1.0.tgz
        • strip-ansi-4.0.0.tgz
          • ansi-regex-3.0.0.tgz (Vulnerable Library)

  • webpack-cli-3.1.0.tgz (Root Library)

    • yargs-12.0.1.tgz
      • cliui-4.1.0.tgz
        • strip-ansi-4.0.0.tgz
          • ansi-regex-3.0.0.tgz (Vulnerable Library)

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: Sep 17, 2021 12:00 AM

URL: CVE-2021-3807

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/CVE-2021-3807

Release Date: Sep 17, 2021 12:00 AM

Fix Resolution : https://github.com/chalk/ansi-regex.git - no_fix,ansi-regex - 6.0.1,ansi-regex - 4.1.1,ansi-regex - 5.0.1,ansi-regex - 3.0.1

🔴CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Dependency Hierarchy:

  • node-sass-4.9.3.tgz (Root Library)

    • true-case-path-1.0.2.tgz
      • glob-6.0.4.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

  • babel-cli-6.26.0.tgz (Root Library)

    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • rimraf-2.6.2.tgz
            • glob-7.1.2.tgz
              • minimatch-3.0.4.tgz (Vulnerable Library)

  • babel-core-6.26.3.tgz (Root Library)

    • minimatch-3.0.4.tgz (Vulnerable Library)

  • eslint-plugin-import-2.14.0.tgz (Root Library)

    • minimatch-3.0.4.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • minimatch-3.0.4.tgz (Vulnerable Library)

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: Oct 17, 2022 12:00 AM

URL: CVE-2022-3517

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-f8q6-p94x-37v3

Release Date: Oct 17, 2022 12:00 AM

Fix Resolution : minimatch - 3.0.5

🔴CVE-2020-8203

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • html-webpack-plugin-3.2.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • react-chartjs-2-2.7.4.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • redux-form-7.4.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-core-6.26.3.tgz (Root Library)

    • babel-generator-6.26.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lint-staged-7.2.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • concurrently-4.0.1.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • webpack-cli-3.1.0.tgz (Root Library)

    • inquirer-6.0.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lodash-4.17.10.tgz (Vulnerable Library)

  • node-sass-4.9.3.tgz (Root Library)

    • sass-graph-2.2.4.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-cli-6.26.0.tgz (Root Library)

    • babel-register-6.26.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-eslint-8.2.6.tgz (Root Library)

    • traverse-7.0.0-beta.44.tgz
      • generator-7.0.0-beta.44.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-preset-env-1.7.0.tgz (Root Library)

    • babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
      • babel-helper-regex-6.26.0.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-plugin-import-2.14.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • winston-3.0.0.tgz (Root Library)

    • async-2.6.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • react-redux-5.0.7.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: Jul 15, 2020 04:10 PM

URL: CVE-2020-8203

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.4%

Score: 8.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-p6mc-m468-83gw

Release Date: Jul 15, 2020 04:10 PM

Fix Resolution : lodash - 4.17.19,lodash-es - 4.17.20

🔴WS-2019-0063

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

  • cssnano-4.1.0.tgz (Root Library)

    • cosmiconfig-5.0.6.tgz
      • js-yaml-3.12.0.tgz (Vulnerable Library)

  • lint-staged-7.2.2.tgz (Root Library)

    • cosmiconfig-5.0.6.tgz
      • js-yaml-3.12.0.tgz (Vulnerable Library)

  • postcss-loader-3.0.0.tgz (Root Library)

    • postcss-load-config-2.0.0.tgz
      • cosmiconfig-4.0.0.tgz
        • js-yaml-3.12.0.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • js-yaml-3.12.0.tgz (Vulnerable Library)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: Apr 05, 2019 04:07 PM

URL: WS-2019-0063

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: Apr 05, 2019 04:07 PM

Fix Resolution : js-yaml - 3.13.1

🔴WS-2019-0032

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

  • cssnano-4.1.0.tgz (Root Library)

    • cosmiconfig-5.0.6.tgz
      • js-yaml-3.12.0.tgz (Vulnerable Library)

  • lint-staged-7.2.2.tgz (Root Library)

    • cosmiconfig-5.0.6.tgz
      • js-yaml-3.12.0.tgz (Vulnerable Library)

  • postcss-loader-3.0.0.tgz (Root Library)

    • postcss-load-config-2.0.0.tgz
      • cosmiconfig-4.0.0.tgz
        • js-yaml-3.12.0.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • js-yaml-3.12.0.tgz (Vulnerable Library)

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: Mar 20, 2019 05:12 PM

URL: WS-2019-0032

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: Mar 20, 2019 05:12 PM

Fix Resolution : js-yaml - 3.13.0

🔴WS-2020-0042

Vulnerable Library - acorn-5.7.1.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/acorn/package.json

Dependency Hierarchy:

  • webpack-4.17.1.tgz (Root Library)

    • acorn-5.7.1.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • espree-4.0.0.tgz
      • acorn-jsx-4.1.1.tgz
        • acorn-5.7.1.tgz (Vulnerable Library)

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: Mar 01, 2020 12:31 PM

URL: WS-2020-0042

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: Mar 01, 2020 12:31 PM

Fix Resolution : acorn - 5.7.4,6.4.1,7.1.1

🔴CVE-2021-23337

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • html-webpack-plugin-3.2.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • react-chartjs-2-2.7.4.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • redux-form-7.4.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-core-6.26.3.tgz (Root Library)

    • babel-generator-6.26.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lint-staged-7.2.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • concurrently-4.0.1.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • webpack-cli-3.1.0.tgz (Root Library)

    • inquirer-6.0.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lodash-4.17.10.tgz (Vulnerable Library)

  • node-sass-4.9.3.tgz (Root Library)

    • sass-graph-2.2.4.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-cli-6.26.0.tgz (Root Library)

    • babel-register-6.26.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-eslint-8.2.6.tgz (Root Library)

    • traverse-7.0.0-beta.44.tgz
      • generator-7.0.0-beta.44.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-preset-env-1.7.0.tgz (Root Library)

    • babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
      • babel-helper-regex-6.26.0.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-plugin-import-2.14.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • winston-3.0.0.tgz (Root Library)

    • async-2.6.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • react-redux-5.0.7.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: Feb 15, 2021 12:15 PM

URL: CVE-2021-23337

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 7.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: Feb 15, 2021 12:15 PM

Fix Resolution : lodash-es - 4.17.21,lodash - 4.17.21

🔴CVE-2019-1010266

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • html-webpack-plugin-3.2.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • react-chartjs-2-2.7.4.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • redux-form-7.4.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-core-6.26.3.tgz (Root Library)

    • babel-generator-6.26.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lint-staged-7.2.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • concurrently-4.0.1.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • webpack-cli-3.1.0.tgz (Root Library)

    • inquirer-6.0.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lodash-4.17.10.tgz (Vulnerable Library)

  • node-sass-4.9.3.tgz (Root Library)

    • sass-graph-2.2.4.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-cli-6.26.0.tgz (Root Library)

    • babel-register-6.26.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-eslint-8.2.6.tgz (Root Library)

    • traverse-7.0.0-beta.44.tgz
      • generator-7.0.0-beta.44.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-preset-env-1.7.0.tgz (Root Library)

    • babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
      • babel-helper-regex-6.26.0.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-plugin-import-2.14.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • winston-3.0.0.tgz (Root Library)

    • async-2.6.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • react-redux-5.0.7.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: Jul 17, 2019 08:25 PM

URL: CVE-2019-1010266

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-x5rq-j2xg-h7qm

Release Date: Jul 17, 2019 08:25 PM

Fix Resolution : lodash-amd - 4.17.11,lodash-es - 4.17.11,lodash - 4.17.11

🟠CVE-2020-15366

Vulnerable Library - ajv-6.5.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

  • webpack-4.17.1.tgz (Root Library)

    • ajv-6.5.2.tgz (Vulnerable Library)

  • postcss-loader-3.0.0.tgz (Root Library)

    • schema-utils-1.0.0.tgz
      • ajv-6.5.2.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • table-4.0.3.tgz
      • ajv-6.5.2.tgz (Vulnerable Library)

  • mini-css-extract-plugin-0.4.2.tgz (Root Library)

    • schema-utils-1.0.0.tgz
      • ajv-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: Jul 15, 2020 07:14 PM

URL: CVE-2020-15366

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-v88g-cgmw-v5xw

Release Date: Jul 15, 2020 07:14 PM

Fix Resolution : ajv - 6.12.3

🟠CVE-2020-28500

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • html-webpack-plugin-3.2.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • react-chartjs-2-2.7.4.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • redux-form-7.4.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-core-6.26.3.tgz (Root Library)

    • babel-generator-6.26.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lint-staged-7.2.2.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-5.4.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • concurrently-4.0.1.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • webpack-cli-3.1.0.tgz (Root Library)

    • inquirer-6.0.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • lodash-4.17.10.tgz (Vulnerable Library)

  • node-sass-4.9.3.tgz (Root Library)

    • sass-graph-2.2.4.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-cli-6.26.0.tgz (Root Library)

    • babel-register-6.26.0.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-eslint-8.2.6.tgz (Root Library)

    • traverse-7.0.0-beta.44.tgz
      • generator-7.0.0-beta.44.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • babel-preset-env-1.7.0.tgz (Root Library)

    • babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
      • babel-helper-regex-6.26.0.tgz
        • lodash-4.17.10.tgz (Vulnerable Library)

  • eslint-plugin-import-2.14.0.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

  • winston-3.0.0.tgz (Root Library)

    • async-2.6.1.tgz
      • lodash-4.17.10.tgz (Vulnerable Library)

  • react-redux-5.0.7.tgz (Root Library)

    • lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: Feb 15, 2021 11:10 AM

URL: CVE-2020-28500

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 5.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-29mw-wpgm-hmr9

Release Date: Feb 15, 2021 11:10 AM

Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21

🟡CVE-2025-54798

Vulnerable Library - tmp-0.0.33.tgz

Temporary file and directory creator

Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmp/package.json

Dependency Hierarchy:

  • eslint-5.4.0.tgz (Root Library)

    • inquirer-5.2.0.tgz
      • external-editor-2.2.0.tgz
        • tmp-0.0.33.tgz (Vulnerable Library)

  • webpack-cli-3.1.0.tgz (Root Library)

    • inquirer-6.0.0.tgz
      • external-editor-3.0.0.tgz
        • tmp-0.0.33.tgz (Vulnerable Library)

Vulnerability Details

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

Publish Date: Aug 07, 2025 12:04 AM

URL: CVE-2025-54798

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 2.0

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/CVE-2025-54798

Release Date: Aug 07, 2025 12:04 AM

Fix Resolution : https://github.com/raszi/node-tmp.git - no_fix

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions