Skip to content

react-scripts-5.0.1.tgz: 59 vulnerabilities (highest severity is: 9.8) #5

New issue
New issue
Open
Open
react-scripts-5.0.1.tgz: 59 vulnerabilities (highest severity is: 9.8)#5
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Aug 11, 2023
Vulnerable Library - react-scripts-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/recursive-readdir/node_modules/minimatch/package.json

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Possible**
CVE-2026-33228 Critical 9.8 flatted-3.2.5.tgz Transitive N/A*
CVE-2023-28154 Critical 9.8 webpack-5.72.1.tgz Transitive N/A*
CVE-2022-37601 Critical 9.8 loader-utils-2.0.2.tgz Transitive N/A*
CVE-2023-45133 Critical 9.3 traverse-7.18.2.tgz Transitive N/A*
CVE-2026-27606 Critical 9.1 rollup-2.75.3.tgz Transitive N/A*
CVE-2025-7783 High 8.7 form-data-3.0.1.tgz Transitive N/A*
CVE-2025-12816 High 8.6 node-forge-1.3.1.tgz Transitive N/A*
CVE-2026-32141 High 7.5 flatted-3.2.5.tgz Transitive N/A*
CVE-2026-29074 High 7.5 svgo-2.8.0.tgz Transitive N/A*
CVE-2026-27904 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-27903 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-26996 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2025-66031 High 7.5 node-forge-1.3.1.tgz Transitive N/A*
CVE-2024-52798 High 7.5 path-to-regexp-0.1.7.tgz Transitive N/A*
CVE-2024-45590 High 7.5 body-parser-1.20.0.tgz Transitive N/A*
CVE-2024-45296 High 7.5 path-to-regexp-0.1.7.tgz Transitive N/A*
CVE-2024-4068 High 7.5 braces-3.0.2.tgz Transitive N/A*
CVE-2024-37890 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2024-21538 High 7.5 cross-spawn-7.0.3.tgz Transitive N/A*
CVE-2024-21536 High 7.5 http-proxy-middleware-2.0.6.tgz Transitive N/A*
CVE-2022-37603 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2022-37599 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2021-3803 High 7.5 nth-check-1.0.2.tgz Transitive N/A*
CVE-2024-29180 High 7.4 webpack-dev-middleware-5.3.3.tgz Transitive N/A*
CVE-2023-26159 High 7.3 follow-redirects-1.15.1.tgz Transitive N/A*
CVE-2022-46175 High 7.1 detected in multiple dependencies Transitive N/A*
CVE-2025-30360 Medium 6.5 webpack-dev-server-4.9.0.tgz Transitive N/A*
CVE-2024-28849 Medium 6.5 follow-redirects-1.15.1.tgz Transitive N/A*
CVE-2023-26136 Medium 6.5 tough-cookie-4.0.0.tgz Transitive N/A*
CVE-2024-43788 Medium 6.4 webpack-5.72.1.tgz Transitive N/A*
CVE-2025-27789 Medium 6.2 detected in multiple dependencies Transitive N/A*
CVE-2024-47068 Medium 6.1 rollup-2.75.3.tgz Transitive N/A*
CVE-2024-29041 Medium 6.1 express-4.18.1.tgz Transitive N/A*
CVE-2024-11831 Medium 5.4 detected in multiple dependencies Transitive N/A*
CVE-2025-66030 Medium 5.3 node-forge-1.3.1.tgz Transitive N/A*
CVE-2025-64718 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2025-30359 Medium 5.3 webpack-dev-server-4.9.0.tgz Transitive N/A*
CVE-2024-47764 Medium 5.3 cookie-0.5.0.tgz Transitive N/A*
CVE-2024-4067 Medium 5.3 micromatch-4.0.5.tgz Transitive N/A*
CVE-2023-44270 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2023-26115 Medium 5.3 word-wrap-1.2.3.tgz Transitive N/A*
CVE-2022-25883 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-25858 Medium 5.3 terser-5.14.0.tgz Transitive N/A*
CVE-2024-43800 Medium 5.0 serve-static-1.15.0.tgz Transitive N/A*
CVE-2024-43799 Medium 5.0 send-0.18.0.tgz Transitive N/A*
CVE-2024-43796 Medium 5.0 express-4.18.1.tgz Transitive N/A*
CVE-2024-55565 Medium 4.3 nanoid-3.3.4.tgz Transitive N/A*
CVE-2025-32997 Medium 4.0 http-proxy-middleware-2.0.6.tgz Transitive N/A*
CVE-2025-32996 Medium 4.0 http-proxy-middleware-2.0.6.tgz Transitive N/A*
CVE-2024-33883 Medium 4.0 ejs-3.1.8.tgz Transitive N/A*
CVE-2026-2391 Low 3.7 qs-6.10.3.tgz Transitive N/A*
CVE-2025-68458 Low 3.7 webpack-5.72.1.tgz Transitive N/A*
CVE-2025-68157 Low 3.7 webpack-5.72.1.tgz Transitive N/A*
CVE-2025-15284 Low 3.7 qs-6.10.3.tgz Transitive N/A*
CVE-2025-7339 Low 3.4 on-headers-1.0.2.tgz Transitive N/A*
CVE-2026-3449 Low 3.3 once-1.1.2.tgz Transitive N/A*
CVE-2025-5889 Low 3.1 detected in multiple dependencies Transitive N/A*
CVE-2025-69873 Low 2.9 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2026-33228

Vulnerable Library - flatted-3.2.5.tgz

A super light and fast circular JSON parser.

Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/flatted/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • eslint-8.16.0.tgz
      • file-entry-cache-6.0.1.tgz
        • flat-cache-3.0.4.tgz
          • flatted-3.2.5.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "proto" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-03-20

URL: CVE-2026-33228

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rf6f-7fwh-wjgh

Release Date: 2026-03-19

Fix Resolution: flatted - 3.4.2

Step up your Open Source Security Game with Mend here

CVE-2023-28154

Vulnerable Library - webpack-5.72.1.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.72.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-5.72.1.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Publish Date: 2023-03-13

URL: CVE-2023-28154

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-03-13

Fix Resolution: webpack - 5.76.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • file-loader-6.2.0.tgz
      • loader-utils-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution: loader-utils - 1.4.1,2.0.3

Step up your Open Source Security Game with Mend here

CVE-2023-45133

Vulnerable Library - traverse-7.18.2.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/traverse/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • core-7.18.2.tgz
      • traverse-7.18.2.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In "@babel/traverse" prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of "babel-traverse", using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the "path.evaluate()"or "path.evaluateTruthy()" internal Babel methods. Known affected plugins are "@babel/plugin-transform-runtime"; "@babel/preset-env" when using its "useBuiltIns" option; and any "polyfill provider" plugin that depends on "@babel/helper-define-polyfill-provider", such as "babel-plugin-polyfill-corejs3", "babel-plugin-polyfill-corejs2", "babel-plugin-polyfill-es-shims", "babel-plugin-polyfill-regenerator". No other plugins under the "@babel/" namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in "@babel/traverse@7.23.2" and "@babel/traverse@8.0.0-alpha.4". Those who cannot upgrade "@babel/traverse" and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected "@babel/traverse" versions: "@babel/plugin-transform-runtime" v7.23.2, "@babel/preset-env" v7.23.2, "@babel/helper-define-polyfill-provider" v0.4.3, "babel-plugin-polyfill-corejs2" v0.4.6, "babel-plugin-polyfill-corejs3" v0.8.5, "babel-plugin-polyfill-es-shims" v0.10.0, "babel-plugin-polyfill-regenerator" v0.5.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2,@babel/traverse - 7.23.2

Step up your Open Source Security Game with Mend here

CVE-2026-27606

Vulnerable Library - rollup-2.75.3.tgz

Next-generation ES module bundler

Library home page: https://registry.npmjs.org/rollup/-/rollup-2.75.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/rollup/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • rollup-2.75.3.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

Publish Date: 2026-02-25

URL: CVE-2026-27606

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-25

Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0

Step up your Open Source Security Game with Mend here

CVE-2025-7783

Vulnerable Library - form-data-3.0.1.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/form-data/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • jest-27.5.1.tgz
      • jest-cli-27.5.1.tgz
        • jest-config-27.5.1.tgz
          • jest-environment-jsdom-27.5.1.tgz
            • jsdom-16.7.0.tgz
              • form-data-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution: form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4,form-data - 2.5.4

Step up your Open Source Security Game with Mend here

CVE-2025-12816

Vulnerable Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.0.tgz
      • selfsigned-2.0.1.tgz
        • node-forge-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Publish Date: 2025-11-25

URL: CVE-2025-12816

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5gfm-wpxj-wjgq

Release Date: 2025-11-25

Fix Resolution: node-forge - 1.3.2,https://github.com/digitalbazaar/forge.git - v1.3.2

Step up your Open Source Security Game with Mend here

CVE-2026-32141

Vulnerable Library - flatted-3.2.5.tgz

A super light and fast circular JSON parser.

Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/flatted/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • eslint-8.16.0.tgz
      • file-entry-cache-6.0.1.tgz
        • flat-cache-3.0.4.tgz
          • flatted-3.2.5.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

Publish Date: 2026-03-12

URL: CVE-2026-32141

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25h7-pfq9-p65f

Release Date: 2026-03-12

Fix Resolution: flatted - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2026-29074

Vulnerable Library - svgo-2.8.0.tgz

Nodejs-based tool for optimizing SVG vector graphics files

Library home page: https://registry.npmjs.org/svgo/-/svgo-2.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss-svgo/node_modules/svgo/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • css-minimizer-webpack-plugin-3.4.1.tgz
      • cssnano-5.1.10.tgz
        • cssnano-preset-default-5.2.10.tgz
          • postcss-svgo-5.1.0.tgz
            • svgo-2.8.0.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

Publish Date: 2026-03-06

URL: CVE-2026-29074

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xpqw-6gx7-v673

Release Date: 2026-03-05

Fix Resolution: svgo - 3.3.3,svgo - 4.0.1,svgo - 2.8.1

Step up your Open Source Security Game with Mend here

CVE-2026-27904

Vulnerable Libraries - minimatch-3.0.4.tgz, minimatch-3.1.2.tgz, minimatch-5.1.0.tgz

minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

minimatch-3.1.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • eslint-8.16.0.tgz
      • minimatch-3.1.2.tgz (Vulnerable Library)

minimatch-5.1.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/filelist/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • rollup-plugin-off-main-thread-2.2.3.tgz
          • ejs-3.1.8.tgz
            • jake-10.8.5.tgz
              • filelist-1.0.4.tgz
                • minimatch-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Publish Date: 2026-02-26

URL: CVE-2026-27904

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-23c5-xmqv-rm74

Release Date: 2026-02-26

Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4

Step up your Open Source Security Game with Mend here

CVE-2026-27903

Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-5.1.0.tgz, minimatch-3.0.4.tgz

minimatch-3.1.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • eslint-8.16.0.tgz
      • minimatch-3.1.2.tgz (Vulnerable Library)

minimatch-5.1.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/filelist/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • rollup-plugin-off-main-thread-2.2.3.tgz
          • ejs-3.1.8.tgz
            • jake-10.8.5.tgz
              • filelist-1.0.4.tgz
                • minimatch-5.1.0.tgz (Vulnerable Library)

minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.

Publish Date: 2026-02-26

URL: CVE-2026-27903

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7r86-cg39-jmmj

Release Date: 2026-02-26

Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v6.2.2

Step up your Open Source Security Game with Mend here

CVE-2026-26996

Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-5.1.0.tgz, minimatch-3.0.4.tgz

minimatch-3.1.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • eslint-8.16.0.tgz
      • minimatch-3.1.2.tgz (Vulnerable Library)

minimatch-5.1.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/filelist/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • workbox-webpack-plugin-6.5.3.tgz
      • workbox-build-6.5.3.tgz
        • rollup-plugin-off-main-thread-2.2.3.tgz
          • ejs-3.1.8.tgz
            • jake-10.8.5.tgz
              • filelist-1.0.4.tgz
                • minimatch-5.1.0.tgz (Vulnerable Library)

minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-20

URL: CVE-2026-26996

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ppc-4f35-3m26

Release Date: 2026-02-19

Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7

Step up your Open Source Security Game with Mend here

CVE-2025-66031

Vulnerable Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.0.tgz
      • selfsigned-2.0.1.tgz
        • node-forge-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

Publish Date: 2025-11-26

URL: CVE-2025-66031

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-554w-wpv2-vw27

Release Date: 2025-11-26

Fix Resolution: node-forge - 1.3.2,https://github.com/digitalbazaar/forge.git - v1.3.2

Step up your Open Source Security Game with Mend here

CVE-2024-52798

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-to-regexp/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.0.tgz
      • express-4.18.1.tgz
        • path-to-regexp-0.1.7.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

Publish Date: 2024-12-05

URL: CVE-2024-52798

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rhx6-c78j-4q9w

Release Date: 2024-12-05

Fix Resolution: path-to-regexp - 0.1.12

Step up your Open Source Security Game with Mend here

CVE-2024-45590

Vulnerable Library - body-parser-1.20.0.tgz

Node.js body parsing middleware

Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/body-parser/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.0.tgz
      • express-4.18.1.tgz
        • body-parser-1.20.0.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Publish Date: 2024-09-10

URL: CVE-2024-45590

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwcr-r2fm-qrc7

Release Date: 2024-09-10

Fix Resolution: body-parser - 1.20.3

Step up your Open Source Security Game with Mend here

CVE-2024-45296

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-to-regexp/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-dev-server-4.9.0.tgz
      • express-4.18.1.tgz
        • path-to-regexp-0.1.7.tgz (Vulnerable Library)

Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e

Found in base branch: master

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: 2024-09-09

URL: CVE-2024-45296

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: 2024-09-09

Fix Resolution: path-to-regexp - 0.1.10,1.9.0,3.3.0,6.3.0,8.0.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions