Vulnerable Library - @stryke/tools-nx-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-44494
Vulnerable Libraries - axios-1.15.0.tgz, axios-1.15.2.tgz
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ axios-1.15.0.tgz (Vulnerable Library)
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- devkit-22.6.0.tgz
- nx-22.6.0.tgz
- ❌ axios-1.15.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44494
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jp-ww65-95wh
Release Date: 2026-05-31
Fix Resolution: axios - 1.16.0,axios - 1.16.0
Step up your Open Source Security Game with Mend here
CVE-2026-44492
Vulnerable Libraries - axios-1.15.0.tgz, axios-1.15.2.tgz
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ axios-1.15.0.tgz (Vulnerable Library)
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- devkit-22.6.0.tgz
- nx-22.6.0.tgz
- ❌ axios-1.15.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44492
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pjwm-pj3p-43mv
Release Date: 2026-05-31
Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
CVE-2026-44728
Vulnerable Library - plugin-transform-modules-systemjs-7.29.0.tgz
This plugin transforms ES2015 modules to SystemJS
Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- js-22.6.0.tgz
- preset-env-7.29.3.tgz
- ❌ plugin-transform-modules-systemjs-7.29.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
Publish Date: 2026-05-26
URL: CVE-2026-44728
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fv7c-fp4j-7gwp
Release Date: 2026-05-09
Fix Resolution: @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4
Step up your Open Source Security Game with Mend here
CVE-2026-6322
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- api-extractor-7.58.7.tgz
- tsdoc-config-0.18.1.tgz
- ajv-8.18.0.tgz
- ❌ fast-uri-3.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Publish Date: 2026-05-05
URL: CVE-2026-6322
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-05
Fix Resolution: fast-uri - 3.1.2,https://github.com/fastify/fast-uri.git - v3.1.2
Step up your Open Source Security Game with Mend here
CVE-2026-6321
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- api-extractor-7.58.7.tgz
- tsdoc-config-0.18.1.tgz
- ajv-8.18.0.tgz
- ❌ fast-uri-3.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
Publish Date: 2026-05-04
URL: CVE-2026-6321
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q3j6-qgpj-74h6
Release Date: 2026-05-04
Fix Resolution: fast-uri - 3.1.1
Step up your Open Source Security Game with Mend here
CVE-2026-59887
Vulnerable Library - linkify-it-5.0.0.tgz
Library home page: https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- markdownlint-cli2-0.17.2.tgz
- markdownlint-0.37.4.tgz
- markdown-it-14.1.1.tgz
- ❌ linkify-it-5.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.
Publish Date: 2026-07-08
URL: CVE-2026-59887
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v245-v573-v5vm
Release Date: 2026-07-08
Fix Resolution: linkify-it - 5.0.2,https://github.com/markdown-it/linkify-it.git - 5.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-59869
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- markdownlint-cli2-0.17.2.tgz
- ❌ js-yaml-4.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
Publish Date: 2026-07-08
URL: CVE-2026-59869
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-07-08
Fix Resolution: https://github.com/nodeca/js-yaml.git - 3.15.0,https://github.com/nodeca/js-yaml.git - 4.3.0,js-yaml - 4.3.0,js-yaml - 3.15.0,js-yaml - 4.3.0,js-yaml - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2026-48801
Vulnerable Library - linkify-it-5.0.0.tgz
Library home page: https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- markdownlint-cli2-0.17.2.tgz
- markdownlint-0.37.4.tgz
- markdown-it-14.1.1.tgz
- ❌ linkify-it-5.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary "LinkifyIt.prototype.match" — the package's primary public API — has O(N²) algorithmic complexity for inputs containing many fuzzy links or emails. This is not a regex backtrack bug; it's a structural issue in the JS-level scan loop that re-slices the input and re-runs unanchored regex searches on progressively shorter tails, N times. 64 KB of ""a@b.com\n"" repeated burns ~2.5 s of single-threaded CPU; 128 KB takes ~10 s. Doubling the input quadruples the time — textbook O(N²). The same cost passes through "markdown-it" ("linkify:true") unmodified. Any service that synchronously renders untrusted Markdown with linkify enabled on a request hot-path (forums, comments, chat, wikis, AI chat UIs) inherits a worker-process DoS triggerable by a tens-of-KB request body. Affected component - HEAD audited: "8e887d5bace3f5b09b1d1f70492fa0364ef1793d" (v5.0.0) - Vulnerable function: "LinkifyIt.prototype.match" — "index.mjs:528-554" - Re-scan call sites inside "test()": "index.mjs:444" (fuzzy host search), ":448" (fuzzy link match), ":467" (fuzzy email match) - Transitive consumer: "markdown-it" (~21.6M weekly npm DLs) calls "linkify.match()" at "lib/rules_core/linkify.mjs:57" when "linkify:true" - All versions affected — the vulnerable loop exists since the initial commit (2014) through v5.0.0 Vulnerability details The O(N²) outer loop "index.mjs:528-554": LinkifyIt.prototype.match = function match (text) { const result = [] let shift = 0 let tail = shift ? text.slice(shift) : text while (this.test(tail)) { result.push(createMatch(this, shift)) tail = tail.slice(this.last_index) // <-- re-allocates remaining tail each iteration shift += this.last_index } if (result.length) return result return null } The loop iterates O(N) times (once per match). Each iteration: 1. "tail.slice()" re-allocates a string of length "|text| - shift" — O(N) per iteration 2. "this.test(tail)" runs three unanchored regex searches over the full new "tail": // index.mjs:444 — full-tail search tld_pos = text.search(this.re.host_fuzzy_test) // index.mjs:448 — full-tail match ml = text.match(this.re.link_fuzzy) // index.mjs:467 — full-tail match me = text.match(this.re.email_fuzzy) Total cost: "Σ(N - i*c) for i=0..N = O(N²)". Contrast with the linear schema branch The schema-prefixed scan in the same "test()" function does it correctly at "index.mjs:428-440": re = this.re.schema_search re.lastIndex = 0 while ((m = re.exec(text)) !== null) { ... } That branch uses a "g"-flag RegExp and advances "lastIndex" — linear. The fuzzy branches don't follow this pattern. Proof of concept mkdir /tmp/linkifyit-redos && cd /tmp/linkifyit-redos npm install linkify-it@5.0.0 cat > poc.mjs <<'EOF' import LinkifyIt from 'linkify-it' const l = new LinkifyIt() for (const n of [1000, 2000, 4000, 8000, 16000]) { const evil = 'a@b.com\n'.repeat(n) const t0 = process.hrtime.bigint() l.match(evil) const ms = Number(process.hrtime.bigint() - t0) / 1e6 console.log("n=${n} bytes=${evil.length} took ${ms.toFixed(0)} ms") } EOF node poc.mjs Measured output (Node v25.5.0, Apple Silicon) n=1000 bytes=8000 took 44 ms n=2000 bytes=16000 took 159 ms n=4000 bytes=32000 took 628 ms n=8000 bytes=64000 took 2506 ms n=16000 bytes=128000 took 9948 ms Doubling N → ~4× wall-clock, consistent with O(N²). markdown-it transitive (independently confirmed) npm install markdown-it@14.1.1 node -e " const md = require('markdown-it')({ linkify: true }) for (const n of [1000, 2000, 4000, 8000]) { const evil = 'a@b.com '.repeat(n) const t0 = process.hrtime.bigint() md.render(evil) const ms = Number(process.hrtime.bigint() - t0) / 1e6 console.log('n=' + n + ' bytes=' + evil.length + ' md.render=' + ms.toFixed(0) + 'ms') } " n=1000 bytes=8000 md.render=45ms n=2000 bytes=16000 md.render=171ms n=4000 bytes=32000 md.render=672ms n=8000 bytes=64000 md.render=2636ms Same quadratic curve. 64 KB is enough to burn 2.6 s in "markdown-it.render()". Impact - Availability (High): A single HTTP request containing tens of KB of repeated email-like strings blocks one worker thread for seconds to tens of seconds. Under moderate concurrency (10-50 requests), the entire rendering tier of an affected service is wedged. - No confidentiality or integrity impact. Real-world scenario: Any service that renders untrusted Markdown with "linkify:true" on the request path — Discourse, Mattermost, GitLab CE, AI chat UIs (Open WebUI, LibreChat), wiki/note apps using markdown-it — receives a post/comment containing 64 KB of ""a@b.com "". The render call blocks the worker for 2.5+ seconds. Scripted at scale, this wedges the rendering tier. Suggested remediation The fix is algorithmic — convert the outer scan loop to stateful regex iteration so each character is examined a constant number of times: 1. Add the "g" flag to "email_fuzzy", "link_fuzzy", "link_no_ip_fuzzy", "host_fuzzy_test" in "lib/re.mjs" 2. Rewrite "test()" (or add "testAt(text, pos)") so fuzzy branches set "re.lastIndex = pos" and call "re.exec(text)" instead of "text.match()"/"text.search()" on a sliced tail 3. In "match()", drop "tail = tail.slice(...)" entirely — advance a "pos" offset instead The schema branch at "index.mjs:428-440" is already structured this way — it's the in-repo precedent for the fix. // proposed sketch LinkifyIt.prototype.match = function match (text) { const result = [] let pos = 0 while (this.testAt(text, pos)) { result.push(createMatch(this, 0)) pos = this.last_index } return result.length ? result : null } Total cost becomes O(N): each character scanned at most once per regex across the whole loop. Duplicate-risk analysis - Zero GHSAs on "linkify-it" ("gh api /repos/markdown-it/linkify-it/security-advisories" → "[]") - Zero OSV entries ("api.osv.dev/v1/query" → "{}") - markdown-it's only GHSA (CVE-2022-21670, "Possible ReDOS in newline rule") targets markdown-it's own newline regex, not the linkify pipeline This finding appears novel. Note to maintainers Since "markdown-it" is the dominant consumer and shares maintainership (Vitaly Puzrin), a patched "linkify-it" release should be paired with a "markdown-it" minor that pins the new minimum version.
Publish Date: 2026-07-01
URL: CVE-2026-48801
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-22p9-wv53-3rq4
Release Date: 2026-07-01
Fix Resolution: linkify-it - 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-44705
Vulnerable Library - tmp-0.2.4.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ tmp-0.2.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
Step up your Open Source Security Game with Mend here
CVE-2026-44496
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- devkit-22.6.0.tgz
- nx-22.6.0.tgz
- ❌ axios-1.15.2.tgz (Vulnerable Library)
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ axios-1.15.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44496
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hfxv-24rg-xrqf
Release Date: 2026-06-04
Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
CVE-2026-44488
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- devkit-22.6.0.tgz
- nx-22.6.0.tgz
- ❌ axios-1.15.2.tgz (Vulnerable Library)
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ axios-1.15.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44488
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-777c-7fjr-54vf
Release Date: 2026-06-04
Fix Resolution: axios - 1.16.0,axios - 1.16.0
Step up your Open Source Security Game with Mend here
CVE-2026-44487
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- devkit-22.6.0.tgz
- nx-22.6.0.tgz
- ❌ axios-1.15.2.tgz (Vulnerable Library)
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ axios-1.15.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p92q-9vqr-4j8v
Release Date: 2026-06-04
Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
CVE-2026-44486
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- devkit-22.6.0.tgz
- nx-22.6.0.tgz
- ❌ axios-1.15.2.tgz (Vulnerable Library)
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ axios-1.15.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44486
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-j5f8-grm9-p9fc
Release Date: 2026-06-04
Fix Resolution: axios - 0.32.0,axios - 1.16.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
CVE-2026-33671
Vulnerable Library - picomatch-4.0.2.tgz
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- js-22.6.0.tgz
- ❌ picomatch-4.0.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-13676
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- workspace-tools-1.295.61.tgz
- api-extractor-7.58.7.tgz
- tsdoc-config-0.18.1.tgz
- ajv-8.18.0.tgz
- ❌ fast-uri-3.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Publish Date: 2026-06-29
URL: CVE-2026-13676
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4c8g-83qw-93j6
Release Date: 2026-06-29
Fix Resolution: fast-uri - 3.1.3,fast-uri - 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-13149
Vulnerable Libraries - brace-expansion-5.0.2.tgz, brace-expansion-5.0.5.tgz
brace-expansion-5.0.2.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ brace-expansion-5.0.2.tgz (Vulnerable Library)
brace-expansion-5.0.5.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- devkit-22.7.1.tgz
- minimatch-10.2.4.tgz
- ❌ brace-expansion-5.0.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Publish Date: 2026-06-30
URL: CVE-2026-13149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-30
Fix Resolution: brace-expansion - 5.0.7,https://github.com/juliangruber/brace-expansion.git - v5.0.7
Step up your Open Source Security Game with Mend here
CVE-2026-12143
Vulnerable Library - form-data-4.0.5.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/tools-nx-0.0.1.tgz (Root Library)
- nx-22.7.1.tgz
- ❌ form-data-4.0.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the "field" argument to "FormData#append" and the "filename" option are concatenated verbatim into the "Content-Disposition" header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set "is_admin=true") seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and """ as "%0D", "%0A", and "%22" in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Publish Date: 2026-06-12
URL: CVE-2026-12143
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjwh-7mfq-fhwh
Release Date: 2026-06-12
Fix Resolution: form-data - 3.0.5,form-data - 2.5.6,form-data - 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Libraries - axios-1.15.0.tgz, axios-1.15.2.tgz
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44494
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-35jp-ww65-95wh
Release Date: 2026-05-31
Fix Resolution: axios - 1.16.0,axios - 1.16.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - axios-1.15.0.tgz, axios-1.15.2.tgz
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44492
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pjwm-pj3p-43mv
Release Date: 2026-05-31
Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - plugin-transform-modules-systemjs-7.29.0.tgz
This plugin transforms ES2015 modules to SystemJS
Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
Publish Date: 2026-05-26
URL: CVE-2026-44728
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fv7c-fp4j-7gwp
Release Date: 2026-05-09
Fix Resolution: @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Publish Date: 2026-05-05
URL: CVE-2026-6322
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-05
Fix Resolution: fast-uri - 3.1.2,https://github.com/fastify/fast-uri.git - v3.1.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
Publish Date: 2026-05-04
URL: CVE-2026-6321
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q3j6-qgpj-74h6
Release Date: 2026-05-04
Fix Resolution: fast-uri - 3.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - linkify-it-5.0.0.tgz
Library home page: https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.
Publish Date: 2026-07-08
URL: CVE-2026-59887
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v245-v573-v5vm
Release Date: 2026-07-08
Fix Resolution: linkify-it - 5.0.2,https://github.com/markdown-it/linkify-it.git - 5.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
Publish Date: 2026-07-08
URL: CVE-2026-59869
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-07-08
Fix Resolution: https://github.com/nodeca/js-yaml.git - 3.15.0,https://github.com/nodeca/js-yaml.git - 4.3.0,js-yaml - 4.3.0,js-yaml - 3.15.0,js-yaml - 4.3.0,js-yaml - 3.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - linkify-it-5.0.0.tgz
Library home page: https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Summary "LinkifyIt.prototype.match" — the package's primary public API — has O(N²) algorithmic complexity for inputs containing many fuzzy links or emails. This is not a regex backtrack bug; it's a structural issue in the JS-level scan loop that re-slices the input and re-runs unanchored regex searches on progressively shorter tails, N times. 64 KB of ""a@b.com\n"" repeated burns ~2.5 s of single-threaded CPU; 128 KB takes ~10 s. Doubling the input quadruples the time — textbook O(N²). The same cost passes through "markdown-it" ("linkify:true") unmodified. Any service that synchronously renders untrusted Markdown with linkify enabled on a request hot-path (forums, comments, chat, wikis, AI chat UIs) inherits a worker-process DoS triggerable by a tens-of-KB request body. Affected component - HEAD audited: "8e887d5bace3f5b09b1d1f70492fa0364ef1793d" (v5.0.0) - Vulnerable function: "LinkifyIt.prototype.match" — "index.mjs:528-554" - Re-scan call sites inside "test()": "index.mjs:444" (fuzzy host search), ":448" (fuzzy link match), ":467" (fuzzy email match) - Transitive consumer: "markdown-it" (~21.6M weekly npm DLs) calls "linkify.match()" at "lib/rules_core/linkify.mjs:57" when "linkify:true" - All versions affected — the vulnerable loop exists since the initial commit (2014) through v5.0.0 Vulnerability details The O(N²) outer loop "index.mjs:528-554": LinkifyIt.prototype.match = function match (text) { const result = [] let shift = 0 let tail = shift ? text.slice(shift) : text while (this.test(tail)) { result.push(createMatch(this, shift)) tail = tail.slice(this.last_index) // <-- re-allocates remaining tail each iteration shift += this.last_index } if (result.length) return result return null } The loop iterates O(N) times (once per match). Each iteration: 1. "tail.slice()" re-allocates a string of length "|text| - shift" — O(N) per iteration 2. "this.test(tail)" runs three unanchored regex searches over the full new "tail": // index.mjs:444 — full-tail search tld_pos = text.search(this.re.host_fuzzy_test) // index.mjs:448 — full-tail match ml = text.match(this.re.link_fuzzy) // index.mjs:467 — full-tail match me = text.match(this.re.email_fuzzy) Total cost: "Σ(N - i*c) for i=0..N = O(N²)". Contrast with the linear schema branch The schema-prefixed scan in the same "test()" function does it correctly at "index.mjs:428-440": re = this.re.schema_search re.lastIndex = 0 while ((m = re.exec(text)) !== null) { ... } That branch uses a "g"-flag RegExp and advances "lastIndex" — linear. The fuzzy branches don't follow this pattern. Proof of concept mkdir /tmp/linkifyit-redos && cd /tmp/linkifyit-redos npm install linkify-it@5.0.0 cat > poc.mjs <<'EOF' import LinkifyIt from 'linkify-it' const l = new LinkifyIt() for (const n of [1000, 2000, 4000, 8000, 16000]) { const evil = 'a@b.com\n'.repeat(n) const t0 = process.hrtime.bigint() l.match(evil) const ms = Number(process.hrtime.bigint() - t0) / 1e6 console.log("n=${n} bytes=${evil.length} took ${ms.toFixed(0)} ms") } EOF node poc.mjs Measured output (Node v25.5.0, Apple Silicon) n=1000 bytes=8000 took 44 ms n=2000 bytes=16000 took 159 ms n=4000 bytes=32000 took 628 ms n=8000 bytes=64000 took 2506 ms n=16000 bytes=128000 took 9948 ms Doubling N → ~4× wall-clock, consistent with O(N²). markdown-it transitive (independently confirmed) npm install markdown-it@14.1.1 node -e " const md = require('markdown-it')({ linkify: true }) for (const n of [1000, 2000, 4000, 8000]) { const evil = 'a@b.com '.repeat(n) const t0 = process.hrtime.bigint() md.render(evil) const ms = Number(process.hrtime.bigint() - t0) / 1e6 console.log('n=' + n + ' bytes=' + evil.length + ' md.render=' + ms.toFixed(0) + 'ms') } " n=1000 bytes=8000 md.render=45ms n=2000 bytes=16000 md.render=171ms n=4000 bytes=32000 md.render=672ms n=8000 bytes=64000 md.render=2636ms Same quadratic curve. 64 KB is enough to burn 2.6 s in "markdown-it.render()". Impact - Availability (High): A single HTTP request containing tens of KB of repeated email-like strings blocks one worker thread for seconds to tens of seconds. Under moderate concurrency (10-50 requests), the entire rendering tier of an affected service is wedged. - No confidentiality or integrity impact. Real-world scenario: Any service that renders untrusted Markdown with "linkify:true" on the request path — Discourse, Mattermost, GitLab CE, AI chat UIs (Open WebUI, LibreChat), wiki/note apps using markdown-it — receives a post/comment containing 64 KB of ""a@b.com "". The render call blocks the worker for 2.5+ seconds. Scripted at scale, this wedges the rendering tier. Suggested remediation The fix is algorithmic — convert the outer scan loop to stateful regex iteration so each character is examined a constant number of times: 1. Add the "g" flag to "email_fuzzy", "link_fuzzy", "link_no_ip_fuzzy", "host_fuzzy_test" in "lib/re.mjs" 2. Rewrite "test()" (or add "testAt(text, pos)") so fuzzy branches set "re.lastIndex = pos" and call "re.exec(text)" instead of "text.match()"/"text.search()" on a sliced tail 3. In "match()", drop "tail = tail.slice(...)" entirely — advance a "pos" offset instead The schema branch at "index.mjs:428-440" is already structured this way — it's the in-repo precedent for the fix. // proposed sketch LinkifyIt.prototype.match = function match (text) { const result = [] let pos = 0 while (this.testAt(text, pos)) { result.push(createMatch(this, 0)) pos = this.last_index } return result.length ? result : null } Total cost becomes O(N): each character scanned at most once per regex across the whole loop. Duplicate-risk analysis - Zero GHSAs on "linkify-it" ("gh api /repos/markdown-it/linkify-it/security-advisories" → "[]") - Zero OSV entries ("api.osv.dev/v1/query" → "{}") - markdown-it's only GHSA (CVE-2022-21670, "Possible ReDOS in newline rule") targets markdown-it's own newline regex, not the linkify pipeline This finding appears novel. Note to maintainers Since "markdown-it" is the dominant consumer and shares maintainership (Vitaly Puzrin), a patched "linkify-it" release should be paired with a "markdown-it" minor that pins the new minimum version.
Publish Date: 2026-07-01
URL: CVE-2026-48801
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-22p9-wv53-3rq4
Release Date: 2026-07-01
Fix Resolution: linkify-it - 5.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tmp-0.2.4.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44496
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hfxv-24rg-xrqf
Release Date: 2026-06-04
Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44488
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-777c-7fjr-54vf
Release Date: 2026-06-04
Fix Resolution: axios - 1.16.0,axios - 1.16.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p92q-9vqr-4j8v
Release Date: 2026-06-04
Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz
axios-1.15.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.15.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Publish Date: 2026-06-11
URL: CVE-2026-44486
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j5f8-grm9-p9fc
Release Date: 2026-06-04
Fix Resolution: axios - 0.32.0,axios - 1.16.0,axios - 1.16.0,axios - 0.32.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - picomatch-4.0.2.tgz
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Publish Date: 2026-06-29
URL: CVE-2026-13676
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4c8g-83qw-93j6
Release Date: 2026-06-29
Fix Resolution: fast-uri - 3.1.3,fast-uri - 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - brace-expansion-5.0.2.tgz, brace-expansion-5.0.5.tgz
brace-expansion-5.0.2.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
brace-expansion-5.0.5.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Publish Date: 2026-06-30
URL: CVE-2026-13149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-30
Fix Resolution: brace-expansion - 5.0.7,https://github.com/juliangruber/brace-expansion.git - v5.0.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - form-data-4.0.5.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the "field" argument to "FormData#append" and the "filename" option are concatenated verbatim into the "Content-Disposition" header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set "is_admin=true") seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and """ as "%0D", "%0A", and "%22" in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Publish Date: 2026-06-12
URL: CVE-2026-12143
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjwh-7mfq-fhwh
Release Date: 2026-06-12
Fix Resolution: form-data - 3.0.5,form-data - 2.5.6,form-data - 4.0.6
Step up your Open Source Security Game with Mend here