Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,791

Total Advisories

1,796

With Dependabot PRs

3,506

Critical Severity

8,619

High Severity

Clear All Filters
fastify/websocket vulnerable to uncaught exception via crash on malformed packet
GHSA-4pcg-wr6c-h9cq CVE-2022-39386 HIGH about 3 years ago
### Impact Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are a...
npm
2
Dependabot PRs
100%
Merged
deep-object-diff vulnerable to Prototype Pollution
GHSA-653v-rqx9-j85p CVE-2022-41713 MODERATE about 3 years ago
deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the applicat...
npm
No PRs yet
Markdownify has Files or Directories Accessible to External Parties
GHSA-qqhf-xfhw-7884 CVE-2022-41710 MODERATE about 3 years ago
Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious mark...
npm
No PRs yet
fastest-json-copy vulnerable to Prototype Pollution
GHSA-p5g9-rjcf-95vj CVE-2022-41714 MODERATE about 3 years ago
fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application do...
npm
No PRs yet
deep-parse-json vulnerable to Prototype Pollution
GHSA-ff9j-pwxg-q5p2 CVE-2022-42743 MODERATE about 3 years ago
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does...
npm
No PRs yet
@keystone-6/core's NODE_ENV defaults to development with esbuild
GHSA-25mx-2mxm-6343 CVE-2022-39382 CRITICAL about 3 years ago
### Impact `@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` in their own code (**not dependencies**) to trigger security-sensitive funct...
npm
No PRs yet
Batched HTTP requests may set incorrect `cache-control` response header
GHSA-8r69-3cvp-wxc3 MODERATE about 3 years ago
### Impact In Apollo Server 3 and 4, the `cache-control` HTTP response header may not reflect the cache policy that should apply to an HTTP request...
npm
2
Dependabot PRs
Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp
GHSA-rcrx-fpjp-mfrw CVE-2022-39381 HIGH about 3 years ago
### Impact The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a malici...
npm
No PRs yet
xmldom allows multiple root nodes in a DOM
GHSA-crh6-fp67-6883 CVE-2022-39353 CRITICAL about 3 years ago
### Impact xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` c...
npm
23
Dependabot PRs
node-red-dashboard vulnerable to Cross-site Scripting
GHSA-vrv9-3x3w-ffxw CVE-2022-3783 MODERATE about 3 years ago
node-red-dashboard contains a cross-site scripting vulnerability. This issue affects some unknown processing of the file `components/ui-component/u...
npm
No PRs yet
muhammara and hummus vulnerable to null pointer dereference on bad response object
GHSA-frp9-2v6r-gj97 CVE-2022-25885 HIGH about 3 years ago
The package muhammara before 2.6.0 and the package hummus before 1.0.111 are vulnerable to Denial of Service (DoS) when PDFStreamForResponse() is u...
npm
No PRs yet
muhammara and hummus vulnerable to denial of service by NULL pointer dereference
GHSA-9cv5-4wqv-9w94 CVE-2022-25892 HIGH about 3 years ago
### Impact The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS...
npm
No PRs yet
kangax html-minifier REDoS vulnerability
GHSA-pfq8-rq6v-vf5m CVE-2022-37620 HIGH about 3 years ago
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.
npm
No PRs yet
thlorenz browserify-shim vulnerable to prototype pollution
GHSA-cfgr-75jx-h88g CVE-2022-37623 CRITICAL about 3 years ago
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in reso...
npm
No PRs yet
thlorenz browserify-shim vulnerable to prototype pollution
GHSA-r737-347m-wqc7 CVE-2022-37621 CRITICAL about 3 years ago
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in reso...
npm
No PRs yet
feathers-sequelize vulnerable to SQL injection due to improper parameter filtering
GHSA-5hq7-j5wq-p227 CVE-2022-29822 CRITICAL about 3 years ago
feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection.
npm
No PRs yet
Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution
GHSA-p5m3-27vh-52j4 CVE-2022-29823 CRITICAL about 3 years ago
Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code E...
npm
No PRs yet
feathers-sequelize contains improper input validation leading to SQL injection
GHSA-qpv8-4pjq-qqh7 CVE-2022-2422 CRITICAL about 3 years ago
Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the...
npm
No PRs yet
Insufficient validation when decoding a Socket.IO packet
GHSA-qm95-pgcg-qqfq CVE-2022-2421 CRITICAL about 3 years ago
Due to improper type validation in the `socket.io-parser` library (which is used by the `socket.io` and `socket.io-client` packages to encode and d...
npm
12
Dependabot PRs
16%
Merged
Inefficient Regular Expression Complexity in shescape
GHSA-cr84-xvw4-qx3c CVE-2022-25918 HIGH about 3 years ago
### Impact This impacts users that use shescape to escape arguments: - for the Unix shell Bash, or any not-officially-supported Unix shell; - usi...
npm
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details
GHSA-c33w-pm52-mqvf CVE-2022-39350 MODERATE about 3 years ago
### Description Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using...
npm
No PRs yet
Hardening of TypedArrays with non-canonical numeric property names in SES
GHSA-whpx-q3rq-w8jc LOW about 3 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ In Hardened JavaScript, programs can `harden` objects to safely share objects with...
npm
No PRs yet
Markdownify subject to Remote Code Execution via malicious markdown file
GHSA-c942-mfmp-p4fh CVE-2022-41709 HIGH about 3 years ago
Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file...
npm
No PRs yet
Field-level access-control bypass for multiselect field
GHSA-6mhr-52mv-6v6f CVE-2022-39322 CRITICAL about 3 years ago
#### Impact `@keystone-6/core@2.2.0 || 2.3.0` users who are using the `multiselect` field, and provided field-level access control - are vulnerabl...
npm
No PRs yet
parse-server crashes when receiving file download request with invalid byte range
GHSA-h423-w6qv-2wj3 CVE-2022-39313 HIGH about 3 years ago
### Impact Parse Server crashes when a file download request is received with an invalid byte range. ### Patches Improved parsing of the range p...
npm
1
Dependabot PRs
minimatch ReDoS vulnerability
GHSA-f8q6-p94x-37v3 CVE-2022-3517 HIGH about 3 years ago
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand fu...
npm
1
Dependabot PRs
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
GHSA-3rfm-jhwj-7488 CVE-2022-37603 HIGH about 3 years ago
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via t...
npm
293
Dependabot PRs
10%
Merged
Grunt-karma vulnerable to prototype pollution
GHSA-hcj4-xf6x-63wj CVE-2022-37602 CRITICAL about 3 years ago
Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the `key` variable in `grunt-karma.js`.
npm
No PRs yet
Prototype pollution in webpack loader-utils
GHSA-76p3-8jx3-jpfq CVE-2022-37601 CRITICAL about 3 years ago
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in p...
npm
No PRs yet
Signature bypass via multiple root elements
GHSA-5p8w-2mvw-38pv CVE-2022-39300 HIGH about 3 years ago
### Impact A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the att...
npm
No PRs yet
Signature bypass via multiple root elements
GHSA-m974-647v-whv7 CVE-2022-39299 HIGH about 3 years ago
### Impact A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the att...
npm
4
Dependabot PRs
mockery is vulnerable to prototype pollution
GHSA-gmwp-3pwc-3j3g CVE-2022-37614 CRITICAL about 3 years ago
Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key...
npm
No PRs yet
The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations
GHSA-2p3c-p3qw-69r4 MODERATE about 3 years ago
### Impact The [graphql-upload](https://www.npmjs.com/package/graphql-upload) npm package can execute GraphQL operations contained in `content-type...
npm
6
Dependabot PRs
16%
Merged
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
GHSA-hhq3-ff78-jv3g CVE-2022-37599 HIGH about 3 years ago
A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the res...
npm
No PRs yet
mxGraph vulnerable to cross-site scripting in setTooltips function
GHSA-j4rv-pr9g-q8jv CVE-2022-40440 MODERATE about 3 years ago
mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the `setTooltips()` function.
npm
No PRs yet
tschaub gh-pages vulnerable to prototype pollution
GHSA-8mmm-9v2q-x3f9 CVE-2022-37611 CRITICAL about 3 years ago
Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.
npm
No PRs yet
thlorenz browserify-shim vulnerable to prototype pollution
GHSA-866w-wm4h-95c6 CVE-2022-37617 CRITICAL about 3 years ago
Prototype pollution vulnerability in function `resolveShims` in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the `k` variable in resolve...
npm
No PRs yet
Cross site scripting in Metro UI
GHSA-633r-r4p8-pw3w CVE-2022-41376 MODERATE about 3 years ago
Metro UI v4.4.0 to v4.5.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function. User input is...
npm
No PRs yet
fastify vulnerable to denial of service via malicious Content-Type
GHSA-455w-c45v-86rg CVE-2022-39288 HIGH about 3 years ago
### Impact An attacker can send an invalid `Content-Type` header that can cause the application to crash, leading to a possible Denial of Service a...
npm
10
Dependabot PRs
30%
Merged
Incorrect default cookie name and recommendation
GHSA-jjmg-x456-w976 LOW about 3 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ The default cookie name (and documentation recommendation) was prefixed with `Host...
npm
No PRs yet
tiny-csrf has openly visible CSRF tokens
GHSA-pj2c-h76w-vv6f CVE-2022-39287 HIGH about 3 years ago
### Impact Weak encryption on CSRF so tokens can be read by malicious attackers. ### Patches Problems have been patched as of v1.1.0 ### Worka...
npm
No PRs yet
NocoDB vulnerable to Denial of Service
GHSA-grv6-m753-3w2g CVE-2022-3423 MODERATE about 3 years ago
NocoDB prior to 0.92.0 allows actors to insert large characters into the input field `New Project` on the create field, which can cause a Denial of...
npm
No PRs yet
v8n vulnerable to Inefficient Regular Expression Complexity
GHSA-xrx9-gj26-5wx9 CVE-2022-35923 HIGH about 3 years ago
### Impact Inefficient regular expression complexity of `lowercase()` and `uppercase()` regex could lead to a denial of service attack. With a form...
npm
No PRs yet
generator-jhipster vulnerable to login check Regular Expression Denial of Service
GHSA-8w7w-67mw-r5p7 HIGH about 3 years ago
### Impact For applications using JWT or session-based authentication (not OIDC), users can input a login string which can cause a denial of servic...
npm
No PRs yet
Snyk CLI affected by Command Injection vulnerability
GHSA-hpqj-7cj6-hfj8 CVE-2022-40764 HIGH about 3 years ago
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the...
npm
No PRs yet
css-what vulnerable to ReDoS due to use of insecure regular expression
GHSA-p28h-cc7q-c4fg CVE-2022-21222 HIGH about 3 years ago
The package css-what before 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of insecure regular expression in th...
npm
No PRs yet
react-native-reanimated vulnerable to ReDoS
GHSA-2j79-8pqc-r7x6 CVE-2022-24373 HIGH about 3 years ago
The package react-native-reanimated before 2.10.0 is vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular ex...
npm
No PRs yet
Joplin Remote Code Execution
GHSA-mjr5-v9c9-mm7g CVE-2022-40277 HIGH about 3 years ago
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown fil...
npm
No PRs yet
isolated-vm has vulnerable CachedDataOptions in API
GHSA-2jjq-x548-rhpv CVE-2022-39266 CRITICAL about 3 years ago
### Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary c...
npm
No PRs yet
matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification
GHSA-5w8r-8pgj-5jmf CVE-2022-39250 HIGH about 3 years ago
## Impact An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cros...
npm
No PRs yet