CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21523
https://notcve.org/view.php?id=CVE-2024-21523
10 Jul 2024 — All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash. **Note:** By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash. Todas las versiones del paquete images son vulnerables a la denegación de servicio (DoS) debido a que proporcionan tipo ... • https://gist.github.com/dellalibera/8b4ea6b4db84cba212e6e6e39a6933d1 • CWE-241: Improper Handling of Unexpected Data Type CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25354
https://notcve.org/view.php?id=CVE-2024-25354
27 Mar 2024 — RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function. La denegación de servicio RegEx en domain-suffix 1.0.8 permite a los atacantes bloquear la aplicación mediante entradas manipuladas a la función de análisis. • https://gist.github.com/6en6ar/c3b11b4058b8e2bc54717408d451fb79 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-25883 – nodejs-semver: Regular expression denial of service
https://notcve.org/view.php?id=CVE-2022-25883
21 Jun 2023 — Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of servi... • https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29244 – npm packing does not respect root-level ignore files in workspaces
https://notcve.org/view.php?id=CVE-2022-29244
13 Jun 2022 — npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 3CVE-2021-43616 – npm: npm ci succeeds when package-lock.json doesn't match package.json
https://notcve.org/view.php?id=CVE-2021-43616
13 Nov 2021 — The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependenc... • https://github.com/icatalina/CVE-2021-43616 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2021-39135 – UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
https://notcve.org/view.php?id=CVE-2021-39135
31 Aug 2021 — `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, ... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 8.2EPSS: 1%CPEs: 5EXPL: 0CVE-2021-39134 – UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
https://notcve.org/view.php?id=CVE-2021-39134
31 Aug 2021 — `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multi... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-178: Improper Handling of Case Sensitivity •
CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-37713 – Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
https://notcve.org/view.php?id=CVE-2021-37713
31 Aug 2021 — The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: 0%CPEs: 8EXPL: 0CVE-2021-37701 – Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
https://notcve.org/view.php?id=CVE-2021-37701
31 Aug 2021 — The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. ... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.6EPSS: 0%CPEs: 9EXPL: 0CVE-2021-37712 – Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
https://notcve.org/view.php?id=CVE-2021-37712
31 Aug 2021 — The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •