cli-1.7.0.tgz: 15 vulnerabilities (highest severity is: 10.0) #4
Description
Vulnerable Library - cli-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (cli version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-47875 |  Critical |
10.0 | dompurify-2.4.7.tgz | Transitive | 1.8.0 | ❌ |
| CVE-2026-27904 |  High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2026-27903 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2026-26996 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2024-57083 | High |
7.5 | redoc-2.1.3.tgz | Transitive | 1.28.4 | ❌ |
| CVE-2024-4068 | High |
7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-37890 | High |
7.5 | ws-7.5.9.tgz | Transitive | 1.8.0 | ❌ |
| CVE-2024-45801 | High |
7.3 | dompurify-2.4.7.tgz | Transitive | 1.8.0 | ❌ |
| CVE-2025-27789 |  Medium |
6.2 | runtime-7.23.8.tgz | Transitive | 1.8.0 | ❌ |
| WS-2024-0017 | Medium |
6.1 | dompurify-2.4.7.tgz | Transitive | N/A* | ❌ |
| CVE-2025-64718 | Medium |
5.3 | js-yaml-4.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2024-53382 | Medium |
4.9 | prismjs-1.29.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-26791 | Medium |
4.5 | dompurify-2.4.7.tgz | Transitive | N/A* | ❌ |
| CVE-2024-55565 | Medium |
4.3 | nanoid-3.3.7.tgz | Transitive | 1.8.0 | ❌ |
| CVE-2025-5889 |  Low |
3.1 | detected in multiple dependencies | Transitive | 1.8.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-47875
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- redoc-2.1.3.tgz
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
- redoc-2.1.3.tgz
Found in base branch: master
Vulnerability Details
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
Publish Date: 2024-10-11
URL: CVE-2024-47875
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47875
Release Date: 2024-10-11
Fix Resolution (dompurify): 2.5.0
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Step up your Open Source Security Game with Mend here
CVE-2026-27904
Vulnerable Libraries - minimatch-5.1.6.tgz, minimatch-3.1.2.tgz
minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- openapi-core-1.7.0.tgz
- ❌ minimatch-5.1.6.tgz (Vulnerable Library)
- openapi-core-1.7.0.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- glob-7.2.3.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
- glob-7.2.3.tgz
Found in base branch: master
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-27903
Vulnerable Libraries - minimatch-5.1.6.tgz, minimatch-3.1.2.tgz
minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- openapi-core-1.7.0.tgz
- ❌ minimatch-5.1.6.tgz (Vulnerable Library)
- openapi-core-1.7.0.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- glob-7.2.3.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
- glob-7.2.3.tgz
Found in base branch: master
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v6.2.2
Step up your Open Source Security Game with Mend here
CVE-2026-26996
Vulnerable Libraries - minimatch-5.1.6.tgz, minimatch-3.1.2.tgz
minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- openapi-core-1.7.0.tgz
- ❌ minimatch-5.1.6.tgz (Vulnerable Library)
- openapi-core-1.7.0.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- glob-7.2.3.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
- glob-7.2.3.tgz
Found in base branch: master
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
Step up your Open Source Security Game with Mend here
CVE-2024-57083
Vulnerable Library - redoc-2.1.3.tgz
Library home page: https://registry.npmjs.org/redoc/-/redoc-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- ❌ redoc-2.1.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
Publish Date: 2025-03-28
URL: CVE-2024-57083
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-28
Fix Resolution (redoc): 2.4.0
Direct dependency fix Resolution (@redocly/cli): 1.28.4
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- chokidar-3.5.3.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
- chokidar-3.5.3.tgz
Found in base branch: master
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2024-37890
Vulnerable Library - ws-7.5.9.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.5.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- simple-websocket-9.1.0.tgz
- ❌ ws-7.5.9.tgz (Vulnerable Library)
- simple-websocket-9.1.0.tgz
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 7.5.10
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Step up your Open Source Security Game with Mend here
CVE-2024-45801
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- redoc-2.1.3.tgz
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
- redoc-2.1.3.tgz
Found in base branch: master
Vulnerability Details
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-09-16
URL: CVE-2024-45801
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-mmhx-hmjr-r674
Release Date: 2024-09-16
Fix Resolution (dompurify): 2.5.4
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Step up your Open Source Security Game with Mend here
CVE-2025-27789
Vulnerable Library - runtime-7.23.8.tgz
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.23.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- redoc-2.1.3.tgz
- polished-4.2.2.tgz
- ❌ runtime-7.23.8.tgz (Vulnerable Library)
- polished-4.2.2.tgz
- redoc-2.1.3.tgz
Found in base branch: master
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: 2025-03-11
URL: CVE-2025-27789
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: 2025-03-11
Fix Resolution (@babel/runtime): 7.26.10
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Step up your Open Source Security Game with Mend here
WS-2024-0017
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- redoc-2.1.3.tgz
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
- redoc-2.1.3.tgz
Found in base branch: master
Vulnerability Details
Insufficient checks in DOMPurify allows an attacker to bypass sanitizers and execute arbitrary JavaScript code. This issue affects versions before 2.5.8 and 3.x before 3.2.3.
Publish Date: 2024-02-08
URL: WS-2024-0017
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2024-02-08
Fix Resolution: domPurify - 2.5.8,3.2.3
Step up your Open Source Security Game with Mend here
CVE-2025-64718
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- openapi-core-1.7.0.tgz
- ❌ js-yaml-4.1.0.tgz (Vulnerable Library)
- openapi-core-1.7.0.tgz
Found in base branch: master
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
Step up your Open Source Security Game with Mend here
CVE-2024-53382
Vulnerable Library - prismjs-1.29.0.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.29.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- redoc-2.1.3.tgz
- ❌ prismjs-1.29.0.tgz (Vulnerable Library)
- redoc-2.1.3.tgz
Found in base branch: master
Vulnerability Details
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Publish Date: 2025-03-03
URL: CVE-2024-53382
CVSS 3 Score Details (4.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-53382
Release Date: 2025-03-03
Fix Resolution: prismjs - 9000.0.1,prismjs - 1.30.0
Step up your Open Source Security Game with Mend here
CVE-2025-26791
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- redoc-2.1.3.tgz
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
- redoc-2.1.3.tgz
Found in base branch: master
Vulnerability Details
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
Publish Date: 2025-02-14
URL: CVE-2025-26791
CVSS 3 Score Details (4.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-26791
Release Date: 2025-02-14
Fix Resolution: dompurify - 3.2.4
Step up your Open Source Security Game with Mend here
CVE-2024-55565
Vulnerable Library - nanoid-3.3.7.tgz
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- styled-components-6.1.8.tgz
- postcss-8.4.31.tgz
- ❌ nanoid-3.3.7.tgz (Vulnerable Library)
- postcss-8.4.31.tgz
- styled-components-6.1.8.tgz
Found in base branch: master
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: 2024-12-09
URL: CVE-2024-55565
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-55565
Release Date: 2024-12-09
Fix Resolution (nanoid): 3.3.8
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Step up your Open Source Security Game with Mend here
CVE-2025-5889
Vulnerable Libraries - brace-expansion-2.0.1.tgz, brace-expansion-1.1.11.tgz
brace-expansion-2.0.1.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- openapi-core-1.7.0.tgz
- minimatch-5.1.6.tgz
- ❌ brace-expansion-2.0.1.tgz (Vulnerable Library)
- minimatch-5.1.6.tgz
- openapi-core-1.7.0.tgz
brace-expansion-1.1.11.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cli-1.7.0.tgz (Root Library)
- glob-7.2.3.tgz
- minimatch-3.1.2.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.1.2.tgz
- glob-7.2.3.tgz
Found in base branch: master
Vulnerability Details
A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2025-5889
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6h2-p8h4-qcjw
Release Date: 2025-06-09
Fix Resolution (brace-expansion): 2.0.2
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Fix Resolution (brace-expansion): 2.0.2
Direct dependency fix Resolution (@redocly/cli): 1.8.0
Step up your Open Source Security Game with Mend here