From 4447d8ae62dd5577a0b67ad3397b4c4419fc5784 Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Thu, 4 Jul 2024 13:38:01 +0100 Subject: [PATCH 1/2] upgrade most dependencies with high sev vuln --- package.json | 14 +++-- yarn-audit-known-issues | 2 +- yarn.lock | 129 ++++++---------------------------------- 3 files changed, 28 insertions(+), 117 deletions(-) diff --git a/package.json b/package.json index a1edf7915c..d6490cac01 100644 --- a/package.json +++ b/package.json @@ -109,12 +109,10 @@ "@ngrx/store-devtools": "^17.2.0", "@nicky-lenaers/ngx-scroll-to": "^14.0.0", "accessibility-checker": "^3.1.70", - "allure-js-commons": "^2.11.1", "applicationinsights": "1.7.2", "axios": "^1.6.8", "axios-mock-adapter": "^1.22.0", "class-transformer": "^0.3.2", - "codeceptjs": "3.5.6", "compression": "^1.7.4", "config": "^3.2.5", "cookie-parser": "^1.4.4", @@ -145,8 +143,6 @@ "lz-string": "^1.5.0", "marked": "^12.0.2", "material-design-icons": "^3.0.1", - "mochawesome": "^6.2.1", - "mochawesome-report-generator": "^5.1.0", "moment-timezone": "^0.5.28", "ngx-chips": "3.0.0", "ngx-logger": "^5.0.12", @@ -157,7 +153,6 @@ "pegjs": "^0.10.0", "portfinder": "^1.0.28", "protractor-screenshot-utils": "^1.0.5", - "puppeteer": "^22.4.1", "rpx-xui-translation": "1.0.4", "rx-polling-hmcts": "1.1.1", "rxjs": "^7.8.1", @@ -210,9 +205,11 @@ "@types/sinon": "^7.0.13", "@typescript-eslint/eslint-plugin": "^7.2.0", "@typescript-eslint/parser": "^7.2.0", + "allure-js-commons": "^2.11.1", "base-64": "^0.1.0", "chai": "^4.3.10", "chai-as-promised": "7.1.1", + "codeceptjs": "3.5.6", "codeceptjs-cucumber-json-reporter": "^1.0.14", "codelyzer": "^5.1.2", "cucumber": "5.1.0", @@ -236,7 +233,9 @@ "karma-sonarqube-unit-reporter": "^0.0.23", "karma-spec-reporter": "0.0.34", "mocha": "^8.1.1", + "mochawesome": "^6.2.1", "mochawesome-merge": "^4.3.0", + "mochawesome-report-generator": "^5.1.0", "ngrx-store-freeze": "^0.2.4", "node-fetch": "^2.6.1", "node-html-parser": "^6.1.5", @@ -247,6 +246,7 @@ "protractor": "~7.0.0", "protractor-cucumber-framework": "^9.7.0", "protractor-multiple-cucumber-html-reporter-plugin": "1.8.0", + "puppeteer": "^22.4.1", "sass": "^1.66.1", "sinon": "^7.3.2", "sinon-chai": "^3.3.0", @@ -271,7 +271,9 @@ "loader-utils": "~2.0.3", "minimist": "^1.2.8", "typed-rest-client": "^1.8.0", - "lodash": "^4.17.21" + "lodash": "^4.17.21", + "braces": "^3.0.3", + "ws": "^8.18.0" }, "packageManager": "yarn@3.6.3" } diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index e05665b687..3bcae3fa41 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094544":{"findings":[{"version":"8.4.29","paths":["@angular/ssr>critters>postcss"]}],"metadata":null,"vulnerable_versions":"<8.4.31","module_name":"postcss","severity":"moderate","github_advisory_id":"GHSA-7fh5-64p2-3v2j","cves":["CVE-2023-44270"],"access":"public","patched_versions":">=8.4.31","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-11-05T05:05:37.000Z","recommendation":"Upgrade to version 8.4.31 or later","cwe":["CWE-74","CWE-144"],"found_by":null,"deleted":null,"id":1094544,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","reported_by":null,"title":"PostCSS line return parsing error","npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"},"1094574":{"findings":[{"version":"2.0.0","paths":["codeceptjs>chai>get-func-name","codeceptjs>chai>check-error>get-func-name","codeceptjs>chai-deep-match>chai>check-error>get-func-name"]}],"metadata":null,"vulnerable_versions":"<2.0.1","module_name":"get-func-name","severity":"high","github_advisory_id":"GHSA-4q6p-r6v2-jvc5","cves":["CVE-2023-43646"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-06T05:02:00.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1094574,"references":"- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5\n- https://nvd.nist.gov/vuln/detail/CVE-2023-43646\n- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69\n- https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15\n- https://github.com/advisories/GHSA-4q6p-r6v2-jvc5","created":"2023-09-27T20:16:00.000Z","reported_by":null,"title":"Chaijs/get-func-name vulnerable to ReDoS","npm_advisory_id":null,"overview":"The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\n\n```js\nconst functionNameMatch = /\\s*function(?:\\s|\\s*\\/\\*[^(?:*/)]+\\*\\/\\s*)*([^\\s(/]+)/;\n```\n\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\n\n```js\n'\\t'.repeat(54773) + '\\t/function/i'\n```\n\nHere is a simple PoC code to demonstrate the issue:\n\n```js\nconst protocolre = /\\sfunction(?:\\s|\\s/*[^(?:*\\/)]+*/\\s*)*([^\\(\\/]+)/;\n\nconst startTime = Date.now();\nconst maliciousInput = '\\t'.repeat(54773) + '\\t/function/i'\n\nprotocolre.test(maliciousInput);\n\nconst endTime = Date.now();\n\nconsole.log(\"process time: \", endTime - startTime, \"ms\");\n```","url":"https://github.com/advisories/GHSA-4q6p-r6v2-jvc5"},"1094902":{"findings":[{"version":"116.0.0","paths":["accessibility-checker>chromedriver"]}],"metadata":null,"vulnerable_versions":"<119.0.1","module_name":"chromedriver","severity":"moderate","github_advisory_id":"GHSA-hm92-vgmw-qfmx","cves":["CVE-2023-26156"],"access":"public","patched_versions":">=119.0.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-17T22:12:01.000Z","recommendation":"Upgrade to version 119.0.1 or later","cwe":["CWE-78"],"found_by":null,"deleted":null,"id":1094902,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","reported_by":null,"title":"chromedriver Command Injection vulnerability","npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"},"1095093":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-11-29T22:41:26.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095093,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1095100":{"findings":[{"version":"1.0.0","paths":["allure-js-commons>file-type>meow>trim-newlines"]}],"metadata":null,"vulnerable_versions":"<3.0.1","module_name":"trim-newlines","severity":"high","github_advisory_id":"GHSA-7p7h-4mm5-852v","cves":["CVE-2021-33623"],"access":"public","patched_versions":">=3.0.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T22:33:19.000Z","recommendation":"Upgrade to version 3.0.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1095100,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-33623\n- https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91\n- https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1\n- https://www.npmjs.com/package/trim-newlines\n- https://security.netapp.com/advisory/ntap-20210702-0007/\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html\n- https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869\n- https://github.com/advisories/GHSA-7p7h-4mm5-852v","created":"2021-06-07T22:10:39.000Z","reported_by":null,"title":"Uncontrolled Resource Consumption in trim-newlines","npm_advisory_id":null,"overview":"@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the `.end()` method.","url":"https://github.com/advisories/GHSA-7p7h-4mm5-852v"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096693":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2024-03-14T21:47:27.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096693,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://fluidattacks.com/advisories/myers\n- https://github.com/Leonidas-from-XIV/node-xml2js\n- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1096727":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-21T17:47:21.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1096727,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096820":{"findings":[{"version":"4.18.2","paths":["@hmcts/rpx-xui-node-lib>express"]}],"metadata":null,"vulnerable_versions":"<4.19.2","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-rv95-896h-c2vc","cves":["CVE-2024-29041"],"access":"public","patched_versions":">=4.19.2","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-27T21:47:29.000Z","recommendation":"Upgrade to version 4.19.2 or later","cwe":["CWE-601","CWE-1286"],"found_by":null,"deleted":null,"id":1096820,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `express@4.19.0`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<=1.15.5","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","cves":["CVE-2024-28849"],"access":"public","patched_versions":">=1.15.6","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-04-02T17:54:22.000Z","recommendation":"Upgrade to version 1.15.6 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096856,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);\n```","url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097148":{"findings":[{"version":"4.0.0","paths":["codeceptjs>html-minifier"]}],"metadata":null,"vulnerable_versions":"<=4.0.0","module_name":"html-minifier","severity":"high","github_advisory_id":"GHSA-pfq8-rq6v-vf5m","cves":["CVE-2022-37620"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-04-22T23:07:36.000Z","recommendation":"None","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1097148,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-37620\n- https://github.com/kangax/html-minifier/issues/1135\n- https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338\n- https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L294\n- https://github.com/advisories/GHSA-pfq8-rq6v-vf5m","created":"2022-10-31T19:00:36.000Z","reported_by":null,"title":"kangax html-minifier REDoS vulnerability","npm_advisory_id":null,"overview":"A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.","url":"https://github.com/advisories/GHSA-pfq8-rq6v-vf5m"},"1097346":{"findings":[{"version":"1.1.8","paths":["codeceptjs>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.1","module_name":"ip","severity":"high","github_advisory_id":"GHSA-2p57-rm9w-gvfp","cves":["CVE-2024-29415"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-06-02T22:29:30.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1097346,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","reported_by":null,"title":"ip SSRF improper categorization in isPublic","npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"},"1097493":{"findings":[{"version":"6.2.0","paths":["codeceptjs>mocha>chokidar>fsevents>node-gyp>tar","codeceptjs>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar"]}],"metadata":null,"vulnerable_versions":"<6.2.1","module_name":"tar","severity":"moderate","github_advisory_id":"GHSA-f5x3-32g6-xq36","cves":["CVE-2024-28863"],"access":"public","patched_versions":">=6.2.1","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2024-06-10T18:30:53.000Z","recommendation":"Upgrade to version 6.2.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1097493,"references":"- https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28863\n- https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7\n- https://security.netapp.com/advisory/ntap-20240524-0005\n- https://github.com/advisories/GHSA-f5x3-32g6-xq36","created":"2024-03-22T16:57:05.000Z","reported_by":null,"title":"Denial of service while parsing a tar file due to lack of folders count validation","npm_advisory_id":null,"overview":"## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm&response-content-type=video%2Fwebm&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt&response-content-type=text%2Fplain&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz&response-content-type=application%2Fx-tar&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago","url":"https://github.com/advisories/GHSA-f5x3-32g6-xq36"},"1097496":{"findings":[{"version":"3.0.2","paths":["http-proxy-middleware>micromatch>braces","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch>braces","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces"]}],"metadata":null,"vulnerable_versions":"<3.0.3","module_name":"braces","severity":"high","github_advisory_id":"GHSA-grv7-fg5c-xmjg","cves":["CVE-2024-4068"],"access":"public","patched_versions":">=3.0.3","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-06-10T20:17:26.000Z","recommendation":"Upgrade to version 3.0.3 or later","cwe":["CWE-1050"],"found_by":null,"deleted":null,"id":1097496,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4068\n- https://github.com/micromatch/braces/issues/35\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4068\n- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\n- https://github.com/micromatch/braces/pull/37\n- https://github.com/micromatch/braces/pull/40\n- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\n- https://github.com/advisories/GHSA-grv7-fg5c-xmjg","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Uncontrolled resource consumption in braces","npm_advisory_id":null,"overview":"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n","url":"https://github.com/advisories/GHSA-grv7-fg5c-xmjg"},"1097504":{"findings":[{"version":"2.5.207","paths":["@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097615":{"findings":[{"version":"8.13.0","paths":["puppeteer>ws","accessibility-checker>puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"metadata":null,"vulnerable_versions":">=8.0.0 <8.17.1","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=8.17.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-06-17T19:09:12.000Z","recommendation":"Upgrade to version 8.17.1 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1097615,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios","accessibility-checker>chromedriver>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097720":{"findings":[{"version":"1.1.8","paths":["codeceptjs>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<1.1.9","module_name":"ip","severity":"low","github_advisory_id":"GHSA-78xj-cgh5-2h22","cves":["CVE-2023-42282"],"access":"public","patched_versions":">=1.1.9","cvss":{"score":0,"vectorString":null},"updated":"2024-06-28T16:49:28.000Z","recommendation":"Upgrade to version 1.1.9 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1097720,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/indutny/node-ip/pull/138\n- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa\n- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22","created":"2024-02-08T18:30:39.000Z","reported_by":null,"title":"NPM IP package incorrectly identifies some private IP addresses as public","npm_advisory_id":null,"overview":"The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.","url":"https://github.com/advisories/GHSA-78xj-cgh5-2h22"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":10,"moderate":34,"high":32,"critical":0},"dependencies":1134,"devDependencies":29,"optionalDependencies":0,"totalDependencies":1163}} +{"actions":[],"advisories":{"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094544":{"findings":[{"version":"8.4.29","paths":["@angular/ssr>critters>postcss"]}],"metadata":null,"vulnerable_versions":"<8.4.31","module_name":"postcss","severity":"moderate","github_advisory_id":"GHSA-7fh5-64p2-3v2j","cves":["CVE-2023-44270"],"access":"public","patched_versions":">=8.4.31","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-11-05T05:05:37.000Z","recommendation":"Upgrade to version 8.4.31 or later","cwe":["CWE-74","CWE-144"],"found_by":null,"deleted":null,"id":1094544,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","reported_by":null,"title":"PostCSS line return parsing error","npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"},"1094902":{"findings":[{"version":"116.0.0","paths":["accessibility-checker>chromedriver"]}],"metadata":null,"vulnerable_versions":"<119.0.1","module_name":"chromedriver","severity":"moderate","github_advisory_id":"GHSA-hm92-vgmw-qfmx","cves":["CVE-2023-26156"],"access":"public","patched_versions":">=119.0.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-17T22:12:01.000Z","recommendation":"Upgrade to version 119.0.1 or later","cwe":["CWE-78"],"found_by":null,"deleted":null,"id":1094902,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","reported_by":null,"title":"chromedriver Command Injection vulnerability","npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096693":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2024-03-14T21:47:27.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096693,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://fluidattacks.com/advisories/myers\n- https://github.com/Leonidas-from-XIV/node-xml2js\n- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1096727":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-21T17:47:21.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1096727,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096820":{"findings":[{"version":"4.18.2","paths":["@hmcts/rpx-xui-node-lib>express"]}],"metadata":null,"vulnerable_versions":"<4.19.2","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-rv95-896h-c2vc","cves":["CVE-2024-29041"],"access":"public","patched_versions":">=4.19.2","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-27T21:47:29.000Z","recommendation":"Upgrade to version 4.19.2 or later","cwe":["CWE-601","CWE-1286"],"found_by":null,"deleted":null,"id":1096820,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `express@4.19.0`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<=1.15.5","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","cves":["CVE-2024-28849"],"access":"public","patched_versions":">=1.15.6","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-04-02T17:54:22.000Z","recommendation":"Upgrade to version 1.15.6 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096856,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);\n```","url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097346":{"findings":[{"version":"1.1.9","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.1","module_name":"ip","severity":"high","github_advisory_id":"GHSA-2p57-rm9w-gvfp","cves":["CVE-2024-29415"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-06-02T22:29:30.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1097346,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","reported_by":null,"title":"ip SSRF improper categorization in isPublic","npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"},"1097493":{"findings":[{"version":"6.2.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar"]}],"metadata":null,"vulnerable_versions":"<6.2.1","module_name":"tar","severity":"moderate","github_advisory_id":"GHSA-f5x3-32g6-xq36","cves":["CVE-2024-28863"],"access":"public","patched_versions":">=6.2.1","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2024-06-10T18:30:53.000Z","recommendation":"Upgrade to version 6.2.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1097493,"references":"- https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28863\n- https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7\n- https://security.netapp.com/advisory/ntap-20240524-0005\n- https://github.com/advisories/GHSA-f5x3-32g6-xq36","created":"2024-03-22T16:57:05.000Z","reported_by":null,"title":"Denial of service while parsing a tar file due to lack of folders count validation","npm_advisory_id":null,"overview":"## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm&response-content-type=video%2Fwebm&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt&response-content-type=text%2Fplain&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz&response-content-type=application%2Fx-tar&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago","url":"https://github.com/advisories/GHSA-f5x3-32g6-xq36"},"1097504":{"findings":[{"version":"2.5.207","paths":["@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios","accessibility-checker>chromedriver>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":31,"high":10,"critical":0},"dependencies":1039,"devDependencies":1,"optionalDependencies":0,"totalDependencies":1040}} diff --git a/yarn.lock b/yarn.lock index 68a25837d4..e5011e5006 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7943,13 +7943,6 @@ __metadata: languageName: node linkType: hard -"async-limiter@npm:~1.0.0": - version: 1.0.1 - resolution: "async-limiter@npm:1.0.1" - checksum: 2b849695b465d93ad44c116220dee29a5aeb63adac16c1088983c339b0de57d76e82533e8e364a93a9f997f28bbfc6a92948cefc120652bd07f3b59f8d75cf2b - languageName: node - linkType: hard - "async-listener@npm:^0.6.0": version: 0.6.10 resolution: "async-listener@npm:0.6.10" @@ -8614,12 +8607,12 @@ __metadata: languageName: node linkType: hard -"braces@npm:^3.0.2, braces@npm:~3.0.2": - version: 3.0.2 - resolution: "braces@npm:3.0.2" +"braces@npm:^3.0.3": + version: 3.0.3 + resolution: "braces@npm:3.0.3" dependencies: - fill-range: ^7.0.1 - checksum: e2a8e769a863f3d4ee887b5fe21f63193a891c68b612ddb4b68d82d1b5f3ff9073af066c343e9867a393fe4c2555dcb33e89b937195feb9c1613d259edfcd459 + fill-range: ^7.1.1 + checksum: b95aa0b3bd909f6cd1720ffcf031aeaf46154dd88b4da01f9a1d3f7ea866a79eba76a6d01cbc3c422b2ee5cdc39a4f02491058d5df0d7bf6e6a162a832df1f69 languageName: node linkType: hard @@ -12948,12 +12941,12 @@ __metadata: languageName: node linkType: hard -"fill-range@npm:^7.0.1": - version: 7.0.1 - resolution: "fill-range@npm:7.0.1" +"fill-range@npm:^7.1.1": + version: 7.1.1 + resolution: "fill-range@npm:7.1.1" dependencies: to-regex-range: ^5.0.1 - checksum: cc283f4e65b504259e64fd969bcf4def4eb08d85565e906b7d36516e87819db52029a76b6363d0f02d0d532f0033c9603b9e2d943d56ee3b0d4f7ad3328ff917 + checksum: b4abfbca3839a3d55e4ae5ec62e131e2e356bf4859ce8480c64c4876100f4df292a63e5bb1618e1d7460282ca2b305653064f01654474aa35c68000980f17798 languageName: node linkType: hard @@ -14801,16 +14794,16 @@ __metadata: linkType: hard "ip@npm:^1.1.8": - version: 1.1.8 - resolution: "ip@npm:1.1.8" - checksum: a2ade53eb339fb0cbe9e69a44caab10d6e3784662285eb5d2677117ee4facc33a64679051c35e0dfdb1a3983a51ce2f5d2cb36446d52e10d01881789b76e28fb + version: 1.1.9 + resolution: "ip@npm:1.1.9" + checksum: b6d91fd45a856e3bd6d4f601ea0619d90f3517638f6918ebd079f959a8a6308568d8db5ef4fdf037e0d9cfdcf264f46833dfeea81ca31309cf0a7eb4b1307b84 languageName: node linkType: hard "ip@npm:^2.0.0": - version: 2.0.0 - resolution: "ip@npm:2.0.0" - checksum: cfcfac6b873b701996d71ec82a7dd27ba92450afdb421e356f44044ed688df04567344c36cbacea7d01b1c39a4c732dc012570ebe9bebfb06f27314bca625349 + version: 2.0.1 + resolution: "ip@npm:2.0.1" + checksum: d765c9fd212b8a99023a4cde6a558a054c298d640fec1020567494d257afd78ca77e37126b1a3ef0e053646ced79a816bf50621d38d5e768cdde0431fa3b0d35 languageName: node linkType: hard @@ -25770,9 +25763,9 @@ __metadata: languageName: node linkType: hard -"ws@npm:8.16.0": - version: 8.16.0 - resolution: "ws@npm:8.16.0" +"ws@npm:^8.18.0": + version: 8.18.0 + resolution: "ws@npm:8.18.0" peerDependencies: bufferutil: ^4.0.1 utf-8-validate: ">=5.0.2" @@ -25781,91 +25774,7 @@ __metadata: optional: true utf-8-validate: optional: true - checksum: feb3eecd2bae82fa8a8beef800290ce437d8b8063bdc69712725f21aef77c49cb2ff45c6e5e7fce622248f9c7abaee506bae0a9064067ffd6935460c7357321b - languageName: node - linkType: hard - -"ws@npm:8.5.0": - version: 8.5.0 - resolution: "ws@npm:8.5.0" - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: ^5.0.2 - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - checksum: 76f2f90e40344bf18fd544194e7067812fb1372b2a37865678d8f12afe4b478ff2ebc0c7c0aff82cd5e6b66fc43d889eec0f1865c2365d8f7a66d92da7744a77 - languageName: node - linkType: hard - -"ws@npm:^6.1.0": - version: 6.2.2 - resolution: "ws@npm:6.2.2" - dependencies: - async-limiter: ~1.0.0 - checksum: aec3154ec51477c094ac2cb5946a156e17561a581fa27005cbf22c53ac57f8d4e5f791dd4bbba6a488602cb28778c8ab7df06251d590507c3c550fd8ebeee949 - languageName: node - linkType: hard - -"ws@npm:^8.11.0": - version: 8.13.0 - resolution: "ws@npm:8.13.0" - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: ">=5.0.2" - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - checksum: 53e991bbf928faf5dc6efac9b8eb9ab6497c69feeb94f963d648b7a3530a720b19ec2e0ec037344257e05a4f35bd9ad04d9de6f289615ffb133282031b18c61c - languageName: node - linkType: hard - -"ws@npm:^8.13.0": - version: 8.17.0 - resolution: "ws@npm:8.17.0" - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: ">=5.0.2" - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - checksum: 147ef9eab0251364e1d2c55338ad0efb15e6913923ccbfdf20f7a8a6cb8f88432bcd7f4d8f66977135bfad35575644f9983201c1a361019594a4e53977bf6d4e - languageName: node - linkType: hard - -"ws@npm:~7.4.2": - version: 7.4.6 - resolution: "ws@npm:7.4.6" - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: ^5.0.2 - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - checksum: 3a990b32ed08c72070d5e8913e14dfcd831919205be52a3ff0b4cdd998c8d554f167c9df3841605cde8b11d607768cacab3e823c58c96a5c08c987e093eb767a - languageName: node - linkType: hard - -"ws@npm:~8.11.0": - version: 8.11.0 - resolution: "ws@npm:8.11.0" - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: ^5.0.2 - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - checksum: 316b33aba32f317cd217df66dbfc5b281a2f09ff36815de222bc859e3424d83766d9eb2bd4d667de658b6ab7be151f258318fb1da812416b30be13103e5b5c67 + checksum: 91d4d35bc99ff6df483bdf029b9ea4bfd7af1f16fc91231a96777a63d263e1eabf486e13a2353970efc534f9faa43bdbf9ee76525af22f4752cbc5ebda333975 languageName: node linkType: hard From 6bb6f4c094277b236872eac4ba1ce0e12b15a705 Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Tue, 16 Jul 2024 11:51:01 +0100 Subject: [PATCH 2/2] vuln --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 3bcae3fa41..54ef503c69 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094544":{"findings":[{"version":"8.4.29","paths":["@angular/ssr>critters>postcss"]}],"metadata":null,"vulnerable_versions":"<8.4.31","module_name":"postcss","severity":"moderate","github_advisory_id":"GHSA-7fh5-64p2-3v2j","cves":["CVE-2023-44270"],"access":"public","patched_versions":">=8.4.31","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-11-05T05:05:37.000Z","recommendation":"Upgrade to version 8.4.31 or later","cwe":["CWE-74","CWE-144"],"found_by":null,"deleted":null,"id":1094544,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","reported_by":null,"title":"PostCSS line return parsing error","npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"},"1094902":{"findings":[{"version":"116.0.0","paths":["accessibility-checker>chromedriver"]}],"metadata":null,"vulnerable_versions":"<119.0.1","module_name":"chromedriver","severity":"moderate","github_advisory_id":"GHSA-hm92-vgmw-qfmx","cves":["CVE-2023-26156"],"access":"public","patched_versions":">=119.0.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-17T22:12:01.000Z","recommendation":"Upgrade to version 119.0.1 or later","cwe":["CWE-78"],"found_by":null,"deleted":null,"id":1094902,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","reported_by":null,"title":"chromedriver Command Injection vulnerability","npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096693":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2024-03-14T21:47:27.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096693,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://fluidattacks.com/advisories/myers\n- https://github.com/Leonidas-from-XIV/node-xml2js\n- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1096727":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-21T17:47:21.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1096727,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096820":{"findings":[{"version":"4.18.2","paths":["@hmcts/rpx-xui-node-lib>express"]}],"metadata":null,"vulnerable_versions":"<4.19.2","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-rv95-896h-c2vc","cves":["CVE-2024-29041"],"access":"public","patched_versions":">=4.19.2","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-27T21:47:29.000Z","recommendation":"Upgrade to version 4.19.2 or later","cwe":["CWE-601","CWE-1286"],"found_by":null,"deleted":null,"id":1096820,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `express@4.19.0`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<=1.15.5","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","cves":["CVE-2024-28849"],"access":"public","patched_versions":">=1.15.6","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-04-02T17:54:22.000Z","recommendation":"Upgrade to version 1.15.6 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096856,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);\n```","url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097346":{"findings":[{"version":"1.1.9","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.1","module_name":"ip","severity":"high","github_advisory_id":"GHSA-2p57-rm9w-gvfp","cves":["CVE-2024-29415"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-06-02T22:29:30.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1097346,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","reported_by":null,"title":"ip SSRF improper categorization in isPublic","npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"},"1097493":{"findings":[{"version":"6.2.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar"]}],"metadata":null,"vulnerable_versions":"<6.2.1","module_name":"tar","severity":"moderate","github_advisory_id":"GHSA-f5x3-32g6-xq36","cves":["CVE-2024-28863"],"access":"public","patched_versions":">=6.2.1","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2024-06-10T18:30:53.000Z","recommendation":"Upgrade to version 6.2.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1097493,"references":"- https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28863\n- https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7\n- https://security.netapp.com/advisory/ntap-20240524-0005\n- https://github.com/advisories/GHSA-f5x3-32g6-xq36","created":"2024-03-22T16:57:05.000Z","reported_by":null,"title":"Denial of service while parsing a tar file due to lack of folders count validation","npm_advisory_id":null,"overview":"## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm&response-content-type=video%2Fwebm&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt&response-content-type=text%2Fplain&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz&response-content-type=application%2Fx-tar&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago","url":"https://github.com/advisories/GHSA-f5x3-32g6-xq36"},"1097504":{"findings":[{"version":"2.5.207","paths":["@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios","accessibility-checker>chromedriver>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":31,"high":10,"critical":0},"dependencies":1039,"devDependencies":1,"optionalDependencies":0,"totalDependencies":1040}} +{"actions":[],"advisories":{"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094544":{"findings":[{"version":"8.4.29","paths":["@angular/ssr>critters>postcss"]}],"metadata":null,"vulnerable_versions":"<8.4.31","module_name":"postcss","severity":"moderate","github_advisory_id":"GHSA-7fh5-64p2-3v2j","cves":["CVE-2023-44270"],"access":"public","patched_versions":">=8.4.31","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-11-05T05:05:37.000Z","recommendation":"Upgrade to version 8.4.31 or later","cwe":["CWE-74","CWE-144"],"found_by":null,"deleted":null,"id":1094544,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","reported_by":null,"title":"PostCSS line return parsing error","npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"},"1094902":{"findings":[{"version":"116.0.0","paths":["accessibility-checker>chromedriver"]}],"metadata":null,"vulnerable_versions":"<119.0.1","module_name":"chromedriver","severity":"moderate","github_advisory_id":"GHSA-hm92-vgmw-qfmx","cves":["CVE-2023-26156"],"access":"public","patched_versions":">=119.0.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-17T22:12:01.000Z","recommendation":"Upgrade to version 119.0.1 or later","cwe":["CWE-78"],"found_by":null,"deleted":null,"id":1094902,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","reported_by":null,"title":"chromedriver Command Injection vulnerability","npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096693":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2024-03-14T21:47:27.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096693,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://fluidattacks.com/advisories/myers\n- https://github.com/Leonidas-from-XIV/node-xml2js\n- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1096727":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-21T17:47:21.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1096727,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096820":{"findings":[{"version":"4.18.2","paths":["@hmcts/rpx-xui-node-lib>express"]}],"metadata":null,"vulnerable_versions":"<4.19.2","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-rv95-896h-c2vc","cves":["CVE-2024-29041"],"access":"public","patched_versions":">=4.19.2","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-27T21:47:29.000Z","recommendation":"Upgrade to version 4.19.2 or later","cwe":["CWE-601","CWE-1286"],"found_by":null,"deleted":null,"id":1096820,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `express@4.19.0`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<=1.15.5","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","cves":["CVE-2024-28849"],"access":"public","patched_versions":">=1.15.6","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-04-02T17:54:22.000Z","recommendation":"Upgrade to version 1.15.6 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096856,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);\n```","url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097346":{"findings":[{"version":"1.1.9","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>@npmcli/agent>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.1","module_name":"ip","severity":"high","github_advisory_id":"GHSA-2p57-rm9w-gvfp","cves":["CVE-2024-29415"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-06-02T22:29:30.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1097346,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","reported_by":null,"title":"ip SSRF improper categorization in isPublic","npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"},"1097493":{"findings":[{"version":"6.2.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>cacache>tar"]}],"metadata":null,"vulnerable_versions":"<6.2.1","module_name":"tar","severity":"moderate","github_advisory_id":"GHSA-f5x3-32g6-xq36","cves":["CVE-2024-28863"],"access":"public","patched_versions":">=6.2.1","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2024-06-10T18:30:53.000Z","recommendation":"Upgrade to version 6.2.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1097493,"references":"- https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28863\n- https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7\n- https://security.netapp.com/advisory/ntap-20240524-0005\n- https://github.com/advisories/GHSA-f5x3-32g6-xq36","created":"2024-03-22T16:57:05.000Z","reported_by":null,"title":"Denial of service while parsing a tar file due to lack of folders count validation","npm_advisory_id":null,"overview":"## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm&response-content-type=video%2Fwebm&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt&response-content-type=text%2Fplain&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz&response-content-type=application%2Fx-tar&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago","url":"https://github.com/advisories/GHSA-f5x3-32g6-xq36"},"1097504":{"findings":[{"version":"2.5.207","paths":["@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios","accessibility-checker>chromedriver>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":31,"high":10,"critical":0},"dependencies":1023,"devDependencies":1,"optionalDependencies":0,"totalDependencies":1024}}