Vulnerable Library - verdaccio-5.33.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-33937
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "Handlebars.compile()" accepts a pre-parsed AST object in addition to a template string. The "value" field of a "NumberLiteral" AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to "compile()" can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling "Handlebars.compile()"; ensure the argument is always a "string", never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build ("handlebars/runtime") on the server if templates are pre-compiled at build time; "compile()" will be unavailable.
Publish Date: 2026-03-27
URL: CVE-2026-33937
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-33941
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler ("bin/handlebars" / "lib/precompiler.js") concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (""", "'", ";", etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.
Publish Date: 2026-03-27
URL: CVE-2026-33941
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
CVE-2026-33940
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in "resolvePartial()" and cause "invokePartial()" to return "undefined". The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to "env.compile()". Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). Without "compile()", the fallback compilation path in "invokePartial" is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ("{{> (lookup ...)}}") when context data is user-controlled.
Publish Date: 2026-03-27
URL: CVE-2026-33940
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-33938
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the "@partial-block" special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites "@partial-block" with a crafted Handlebars AST, a subsequent invocation of "{{> @partial-block}}" compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). The "compile()" method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as "handlebars-helpers") in contexts where templates or context data can be influenced by untrusted input.
Publish Date: 2026-03-27
URL: CVE-2026-33938
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-4867
Vulnerable Library - path-to-regexp-0.1.10.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- express-4.21.1.tgz
- ❌ path-to-regexp-0.1.10.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Publish Date: 2026-03-26
URL: CVE-2026-4867
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-37ch-88jc-xwx2
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 0.1.13
Step up your Open Source Security Game with Mend here
CVE-2026-33939
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. "{{n}}"), the compiled template calls "lookupProperty(decorators, "n")", which returns "undefined". The runtime then immediately invokes the result as a function, causing an unhandled "TypeError: ... is not a function" that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a "try/catch" is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in "try/catch". Validate template input before passing it to "compile()"; reject templates containing decorator syntax ("{{...}}") if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call "compile()" at request time.
Publish Date: 2026-03-27
URL: CVE-2026-33939
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-27904
Vulnerable Library - minimatch-7.4.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- config-8.0.0-next-8.1.tgz
- ❌ minimatch-7.4.6.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-27903
Vulnerable Library - minimatch-7.4.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- config-8.0.0-next-8.1.tgz
- ❌ minimatch-7.4.6.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v6.2.2
Step up your Open Source Security Game with Mend here
CVE-2026-26996
Vulnerable Library - minimatch-7.4.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- config-8.0.0-next-8.1.tgz
- ❌ minimatch-7.4.6.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- jsonwebtoken-9.0.2.tgz
- ❌ jws-3.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: 2025-12-04
URL: CVE-2025-65945
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: 2025-12-04
Fix Resolution (jws): 3.2.3
Direct dependency fix Resolution (verdaccio): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-12758
Vulnerable Library - validator-13.12.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ validator-13.12.0.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: 2025-11-27
URL: CVE-2025-12758
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-27
Fix Resolution (validator): 13.15.22
Direct dependency fix Resolution (verdaccio): 6.2.2
Step up your Open Source Security Game with Mend here
CVE-2024-52798
Vulnerable Library - path-to-regexp-0.1.10.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- express-4.21.1.tgz
- ❌ path-to-regexp-0.1.10.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Publish Date: 2024-12-05
URL: CVE-2024-52798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rhx6-c78j-4q9w
Release Date: 2024-12-05
Fix Resolution (path-to-regexp): 0.1.12
Direct dependency fix Resolution (verdaccio): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution: lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
Step up your Open Source Security Game with Mend here
CVE-2025-56200
Vulnerable Library - validator-13.12.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ validator-13.12.0.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: 2025-09-30
URL: CVE-2025-56200
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9965-vmph-33xx
Release Date: 2025-09-30
Fix Resolution: validator - 13.15.20
Step up your Open Source Security Game with Mend here
CVE-2025-64718
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ js-yaml-4.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
Step up your Open Source Security Game with Mend here
CVE-2024-47764
Vulnerable Library - cookie-0.6.0.tgz
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- middleware-8.0.0-next-8.1.tgz
- express-4.21.0.tgz
- ❌ cookie-0.6.0.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: 2024-10-04
URL: CVE-2024-47764
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: 2024-10-04
Fix Resolution (cookie): 0.7.0
Direct dependency fix Resolution (verdaccio): 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-33916
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "resolvePartial()" in the Handlebars runtime resolves partial names via a plain property lookup on "options.partials" without guarding against prototype-chain traversal. When "Object.prototype" has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply "Object.freeze(Object.prototype)" early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build ("handlebars/runtime"), which does not compile templates and reduces the attack surface.
Publish Date: 2026-03-27
URL: CVE-2026-33916
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-2391
Vulnerable Library - qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- verdaccio-5.33.0.tgz (Root Library)
- express-4.21.1.tgz
- ❌ qs-6.13.0.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Summary
The "arrayLimit" option in qs does not enforce limits for comma-separated values when "comma: true" is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Details
When the "comma" option is set to "true" (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., "?param=a,b,c" becomes "['a', 'b', 'c']"). However, the limit check for "arrayLimit" (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in "parseArrayValue", enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
The "split(',')" returns the array immediately, skipping the subsequent limit check. Downstream merging via "utils.combine" does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., "?param=,,,,,,,,..."), allocating massive arrays in memory without triggering limits. It bypasses the intent of "arrayLimit", which is enforced correctly for indexed ("a[0]=") and bracket ("a[]=") notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
const result = qs.parse(payload, options);
console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
console.log('Limit enforced:', e.message); // Not thrown
}
Configuration:
- "comma: true"
- "arrayLimit: 5"
- "throwOnLimitExceeded: true"
Expected: Throws "Array limit exceeded" error.
Actual: Parses successfully, creating an array of length 26.
Impact
Denial of Service (DoS) via memory exhaustion.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-12
URL: CVE-2026-2391
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7fw-mjwx-w883
Release Date: 2026-02-12
Fix Resolution (qs): 6.14.2
Direct dependency fix Resolution (verdaccio): 6.2.7
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "Handlebars.compile()" accepts a pre-parsed AST object in addition to a template string. The "value" field of a "NumberLiteral" AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to "compile()" can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling "Handlebars.compile()"; ensure the argument is always a "string", never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build ("handlebars/runtime") on the server if templates are pre-compiled at build time; "compile()" will be unavailable.
Publish Date: 2026-03-27
URL: CVE-2026-33937
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler ("bin/handlebars" / "lib/precompiler.js") concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (""", "'", ";", etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.
Publish Date: 2026-03-27
URL: CVE-2026-33941
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in "resolvePartial()" and cause "invokePartial()" to return "undefined". The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to "env.compile()". Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). Without "compile()", the fallback compilation path in "invokePartial" is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ("{{> (lookup ...)}}") when context data is user-controlled.
Publish Date: 2026-03-27
URL: CVE-2026-33940
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the "@partial-block" special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites "@partial-block" with a crafted Handlebars AST, a subsequent invocation of "{{> @partial-block}}" compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). The "compile()" method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as "handlebars-helpers") in contexts where templates or context data can be influenced by untrusted input.
Publish Date: 2026-03-27
URL: CVE-2026-33938
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-to-regexp-0.1.10.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Publish Date: 2026-03-26
URL: CVE-2026-4867
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-37ch-88jc-xwx2
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 0.1.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. "{{n}}"), the compiled template calls "lookupProperty(decorators, "n")", which returns "undefined". The runtime then immediately invokes the result as a function, causing an unhandled "TypeError: ... is not a function" that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a "try/catch" is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in "try/catch". Validate template input before passing it to "compile()"; reject templates containing decorator syntax ("{{...}}") if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call "compile()" at request time.
Publish Date: 2026-03-27
URL: CVE-2026-33939
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-7.4.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-7.4.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v6.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-7.4.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-7.4.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: 2025-12-04
URL: CVE-2025-65945
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: 2025-12-04
Fix Resolution (jws): 3.2.3
Direct dependency fix Resolution (verdaccio): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - validator-13.12.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: 2025-11-27
URL: CVE-2025-12758
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-11-27
Fix Resolution (validator): 13.15.22
Direct dependency fix Resolution (verdaccio): 6.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-to-regexp-0.1.10.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Publish Date: 2024-12-05
URL: CVE-2024-52798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rhx6-c78j-4q9w
Release Date: 2024-12-05
Fix Resolution (path-to-regexp): 0.1.12
Direct dependency fix Resolution (verdaccio): 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution: lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
Step up your Open Source Security Game with Mend here
Vulnerable Library - validator-13.12.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: 2025-09-30
URL: CVE-2025-56200
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9965-vmph-33xx
Release Date: 2025-09-30
Fix Resolution: validator - 13.15.20
Step up your Open Source Security Game with Mend here
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - cookie-0.6.0.tgz
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: 2024-10-04
URL: CVE-2024-47764
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: 2024-10-04
Fix Resolution (cookie): 0.7.0
Direct dependency fix Resolution (verdaccio): 6.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "resolvePartial()" in the Handlebars runtime resolves partial names via a plain property lookup on "options.partials" without guarding against prototype-chain traversal. When "Object.prototype" has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply "Object.freeze(Object.prototype)" early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build ("handlebars/runtime"), which does not compile templates and reduces the attack surface.
Publish Date: 2026-03-27
URL: CVE-2026-33916
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Summary
The "arrayLimit" option in qs does not enforce limits for comma-separated values when "comma: true" is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Details
When the "comma" option is set to "true" (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., "?param=a,b,c" becomes "['a', 'b', 'c']"). However, the limit check for "arrayLimit" (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in "parseArrayValue", enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
The "split(',')" returns the array immediately, skipping the subsequent limit check. Downstream merging via "utils.combine" does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., "?param=,,,,,,,,..."), allocating massive arrays in memory without triggering limits. It bypasses the intent of "arrayLimit", which is enforced correctly for indexed ("a[0]=") and bracket ("a[]=") notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
const result = qs.parse(payload, options);
console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
console.log('Limit enforced:', e.message); // Not thrown
}
Configuration:
Expected: Throws "Array limit exceeded" error.
Actual: Parses successfully, creating an array of length 26.
Impact
Denial of Service (DoS) via memory exhaustion.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-12
URL: CVE-2026-2391
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-w7fw-mjwx-w883
Release Date: 2026-02-12
Fix Resolution (qs): 6.14.2
Direct dependency fix Resolution (verdaccio): 6.2.7
Step up your Open Source Security Game with Mend here