Skip to content

@⁠stryke/tools-nx-0.0.1.tgz: 43 vulnerabilities (highest severity is: 8.7) #244

Description

@mend-bolt-for-github
Vulnerable Library - @⁠stryke/tools-nx-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (@⁠stryke/tools-nx version) Remediation Possible**
CVE-2026-44494 High 8.7 detected in multiple dependencies Transitive N/A*
CVE-2026-44492 High 8.6 detected in multiple dependencies Transitive N/A*
CVE-2026-44728 High 8.2 plugin-transform-modules-systemjs-7.29.0.tgz Transitive N/A*
CVE-2026-6322 High 7.5 fast-uri-3.1.0.tgz Transitive N/A*
CVE-2026-6321 High 7.5 fast-uri-3.1.0.tgz Transitive N/A*
CVE-2026-59887 High 7.5 linkify-it-5.0.0.tgz Transitive N/A*
CVE-2026-59869 High 7.5 js-yaml-4.1.0.tgz Transitive N/A*
CVE-2026-48801 High 7.5 linkify-it-5.0.0.tgz Transitive N/A*
CVE-2026-44705 High 7.5 tmp-0.2.4.tgz Transitive N/A*
CVE-2026-44496 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-44488 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-44487 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-44486 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-33671 High 7.5 picomatch-4.0.2.tgz Transitive N/A*
CVE-2026-13676 High 7.5 fast-uri-3.1.0.tgz Transitive N/A*
CVE-2026-13149 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2026-12143 High 7.5 form-data-4.0.5.tgz Transitive N/A*
CVE-2026-42264 High 7.4 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42035 High 7.4 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42033 High 7.4 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42043 High 7.2 axios-1.15.0.tgz Transitive N/A*
CVE-2026-44495 High 7.0 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42038 Medium 6.8 axios-1.15.0.tgz Transitive N/A*
CVE-2026-45149 Medium 6.5 detected in multiple dependencies Transitive N/A*
CVE-2026-42044 Medium 6.5 axios-1.15.0.tgz Transitive N/A*
CVE-2026-33750 Medium 6.5 brace-expansion-5.0.2.tgz Transitive N/A*
CVE-2026-54753 Medium 5.9 detected in multiple dependencies Transitive N/A*
CVE-2026-42042 Medium 5.4 axios-1.15.0.tgz Transitive N/A*
CVE-2026-53550 Medium 5.3 js-yaml-4.1.0.tgz Transitive N/A*
CVE-2026-48988 Medium 5.3 markdown-it-14.1.1.tgz Transitive N/A*
CVE-2026-42039 Medium 5.3 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42037 Medium 5.3 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42036 Medium 5.3 axios-1.15.0.tgz Transitive N/A*
CVE-2026-42034 Medium 5.3 axios-1.15.0.tgz Transitive N/A*
CVE-2026-33672 Medium 5.3 picomatch-4.0.2.tgz Transitive N/A*
CVE-2025-64718 Medium 5.3 js-yaml-4.1.0.tgz Transitive N/A*
CVE-2026-44490 Medium 4.8 detected in multiple dependencies Transitive N/A*
CVE-2026-42041 Medium 4.8 axios-1.15.0.tgz Transitive N/A*
CVE-2026-9358 Medium 4.3 postcss-selector-parser-7.1.1.tgz Transitive N/A*
CVE-2026-33532 Medium 4.3 yaml-2.8.0.tgz Transitive N/A*
CVE-2026-44489 Low 3.7 axios-1.15.2.tgz Transitive N/A*
CVE-2026-42040 Low 3.7 axios-1.15.0.tgz Transitive N/A*
CVE-2026-49356 Low 3.2 core-7.29.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2026-44494

Vulnerable Libraries - axios-1.15.0.tgz, axios-1.15.2.tgz

axios-1.15.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • axios-1.15.0.tgz (Vulnerable Library)

axios-1.15.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • devkit-22.6.0.tgz
        • nx-22.6.0.tgz
          • axios-1.15.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

Publish Date: 2026-06-11

URL: CVE-2026-44494

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jp-ww65-95wh

Release Date: 2026-05-31

Fix Resolution: axios - 1.16.0,axios - 1.16.0

Step up your Open Source Security Game with Mend here

CVE-2026-44492

Vulnerable Libraries - axios-1.15.0.tgz, axios-1.15.2.tgz

axios-1.15.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • axios-1.15.0.tgz (Vulnerable Library)

axios-1.15.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • devkit-22.6.0.tgz
        • nx-22.6.0.tgz
          • axios-1.15.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.

Publish Date: 2026-06-11

URL: CVE-2026-44492

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pjwm-pj3p-43mv

Release Date: 2026-05-31

Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0

Step up your Open Source Security Game with Mend here

CVE-2026-44728

Vulnerable Library - plugin-transform-modules-systemjs-7.29.0.tgz

This plugin transforms ES2015 modules to SystemJS

Library home page: https://registry.npmjs.org/@⁠babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • js-22.6.0.tgz
        • preset-env-7.29.3.tgz
          • plugin-transform-modules-systemjs-7.29.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Publish Date: 2026-05-26

URL: CVE-2026-44728

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fv7c-fp4j-7gwp

Release Date: 2026-05-09

Fix Resolution: @⁠babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@⁠babel/plugin-transform-modules-systemjs - 7.29.4

Step up your Open Source Security Game with Mend here

CVE-2026-6322

Vulnerable Library - fast-uri-3.1.0.tgz

Dependency-free RFC 3986 URI toolbox

Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • api-extractor-7.58.7.tgz
        • tsdoc-config-0.18.1.tgz
          • ajv-8.18.0.tgz
            • fast-uri-3.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

Publish Date: 2026-05-05

URL: CVE-2026-6322

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-05

Fix Resolution: fast-uri - 3.1.2,https://github.com/fastify/fast-uri.git - v3.1.2

Step up your Open Source Security Game with Mend here

CVE-2026-6321

Vulnerable Library - fast-uri-3.1.0.tgz

Dependency-free RFC 3986 URI toolbox

Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • api-extractor-7.58.7.tgz
        • tsdoc-config-0.18.1.tgz
          • ajv-8.18.0.tgz
            • fast-uri-3.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

Publish Date: 2026-05-04

URL: CVE-2026-6321

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q3j6-qgpj-74h6

Release Date: 2026-05-04

Fix Resolution: fast-uri - 3.1.1

Step up your Open Source Security Game with Mend here

CVE-2026-59887

Vulnerable Library - linkify-it-5.0.0.tgz

Library home page: https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • markdownlint-cli2-0.17.2.tgz
        • markdownlint-0.37.4.tgz
          • markdown-it-14.1.1.tgz
            • linkify-it-5.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.

Publish Date: 2026-07-08

URL: CVE-2026-59887

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v245-v573-v5vm

Release Date: 2026-07-08

Fix Resolution: linkify-it - 5.0.2,https://github.com/markdown-it/linkify-it.git - 5.0.2

Step up your Open Source Security Game with Mend here

CVE-2026-59869

Vulnerable Library - js-yaml-4.1.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • markdownlint-cli2-0.17.2.tgz
        • js-yaml-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.

Publish Date: 2026-07-08

URL: CVE-2026-59869

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-07-08

Fix Resolution: https://github.com/nodeca/js-yaml.git - 3.15.0,https://github.com/nodeca/js-yaml.git - 4.3.0,js-yaml - 4.3.0,js-yaml - 3.15.0,js-yaml - 4.3.0,js-yaml - 3.15.0

Step up your Open Source Security Game with Mend here

CVE-2026-48801

Vulnerable Library - linkify-it-5.0.0.tgz

Library home page: https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • markdownlint-cli2-0.17.2.tgz
        • markdownlint-0.37.4.tgz
          • markdown-it-14.1.1.tgz
            • linkify-it-5.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Summary "LinkifyIt.prototype.match" — the package's primary public API — has O(N²) algorithmic complexity for inputs containing many fuzzy links or emails. This is not a regex backtrack bug; it's a structural issue in the JS-level scan loop that re-slices the input and re-runs unanchored regex searches on progressively shorter tails, N times. 64 KB of ""a@b.com\n"" repeated burns ~2.5 s of single-threaded CPU; 128 KB takes ~10 s. Doubling the input quadruples the time — textbook O(N²). The same cost passes through "markdown-it" ("linkify:true") unmodified. Any service that synchronously renders untrusted Markdown with linkify enabled on a request hot-path (forums, comments, chat, wikis, AI chat UIs) inherits a worker-process DoS triggerable by a tens-of-KB request body. Affected component - HEAD audited: "8e887d5bace3f5b09b1d1f70492fa0364ef1793d" (v5.0.0) - Vulnerable function: "LinkifyIt.prototype.match" — "index.mjs:528-554" - Re-scan call sites inside "test()": "index.mjs:444" (fuzzy host search), ":448" (fuzzy link match), ":467" (fuzzy email match) - Transitive consumer: "markdown-it" (~21.6M weekly npm DLs) calls "linkify.match()" at "lib/rules_core/linkify.mjs:57" when "linkify:true" - All versions affected — the vulnerable loop exists since the initial commit (2014) through v5.0.0 Vulnerability details The O(N²) outer loop "index.mjs:528-554": LinkifyIt.prototype.match = function match (text) { const result = [] let shift = 0 let tail = shift ? text.slice(shift) : text while (this.test(tail)) { result.push(createMatch(this, shift)) tail = tail.slice(this.last_index) // <-- re-allocates remaining tail each iteration shift += this.last_index } if (result.length) return result return null } The loop iterates O(N) times (once per match). Each iteration: 1. "tail.slice()" re-allocates a string of length "|text| - shift" — O(N) per iteration 2. "this.test(tail)" runs three unanchored regex searches over the full new "tail": // index.mjs:444 — full-tail search tld_pos = text.search(this.re.host_fuzzy_test) // index.mjs:448 — full-tail match ml = text.match(this.re.link_fuzzy) // index.mjs:467 — full-tail match me = text.match(this.re.email_fuzzy) Total cost: "Σ(N - i*c) for i=0..N = O(N²)". Contrast with the linear schema branch The schema-prefixed scan in the same "test()" function does it correctly at "index.mjs:428-440": re = this.re.schema_search re.lastIndex = 0 while ((m = re.exec(text)) !== null) { ... } That branch uses a "g"-flag RegExp and advances "lastIndex" — linear. The fuzzy branches don't follow this pattern. Proof of concept mkdir /tmp/linkifyit-redos && cd /tmp/linkifyit-redos npm install linkify-it@5.0.0 cat > poc.mjs <<'EOF' import LinkifyIt from 'linkify-it' const l = new LinkifyIt() for (const n of [1000, 2000, 4000, 8000, 16000]) { const evil = 'a@b.com\n'.repeat(n) const t0 = process.hrtime.bigint() l.match(evil) const ms = Number(process.hrtime.bigint() - t0) / 1e6 console.log("n=${n} bytes=${evil.length} took ${ms.toFixed(0)} ms") } EOF node poc.mjs Measured output (Node v25.5.0, Apple Silicon) n=1000 bytes=8000 took 44 ms n=2000 bytes=16000 took 159 ms n=4000 bytes=32000 took 628 ms n=8000 bytes=64000 took 2506 ms n=16000 bytes=128000 took 9948 ms Doubling N → ~4× wall-clock, consistent with O(N²). markdown-it transitive (independently confirmed) npm install markdown-it@14.1.1 node -e " const md = require('markdown-it')({ linkify: true }) for (const n of [1000, 2000, 4000, 8000]) { const evil = 'a@b.com '.repeat(n) const t0 = process.hrtime.bigint() md.render(evil) const ms = Number(process.hrtime.bigint() - t0) / 1e6 console.log('n=' + n + ' bytes=' + evil.length + ' md.render=' + ms.toFixed(0) + 'ms') } " n=1000 bytes=8000 md.render=45ms n=2000 bytes=16000 md.render=171ms n=4000 bytes=32000 md.render=672ms n=8000 bytes=64000 md.render=2636ms Same quadratic curve. 64 KB is enough to burn 2.6 s in "markdown-it.render()". Impact - Availability (High): A single HTTP request containing tens of KB of repeated email-like strings blocks one worker thread for seconds to tens of seconds. Under moderate concurrency (10-50 requests), the entire rendering tier of an affected service is wedged. - No confidentiality or integrity impact. Real-world scenario: Any service that renders untrusted Markdown with "linkify:true" on the request path — Discourse, Mattermost, GitLab CE, AI chat UIs (Open WebUI, LibreChat), wiki/note apps using markdown-it — receives a post/comment containing 64 KB of ""a@b.com "". The render call blocks the worker for 2.5+ seconds. Scripted at scale, this wedges the rendering tier. Suggested remediation The fix is algorithmic — convert the outer scan loop to stateful regex iteration so each character is examined a constant number of times: 1. Add the "g" flag to "email_fuzzy", "link_fuzzy", "link_no_ip_fuzzy", "host_fuzzy_test" in "lib/re.mjs" 2. Rewrite "test()" (or add "testAt(text, pos)") so fuzzy branches set "re.lastIndex = pos" and call "re.exec(text)" instead of "text.match()"/"text.search()" on a sliced tail 3. In "match()", drop "tail = tail.slice(...)" entirely — advance a "pos" offset instead The schema branch at "index.mjs:428-440" is already structured this way — it's the in-repo precedent for the fix. // proposed sketch LinkifyIt.prototype.match = function match (text) { const result = [] let pos = 0 while (this.testAt(text, pos)) { result.push(createMatch(this, 0)) pos = this.last_index } return result.length ? result : null } Total cost becomes O(N): each character scanned at most once per regex across the whole loop. Duplicate-risk analysis - Zero GHSAs on "linkify-it" ("gh api /repos/markdown-it/linkify-it/security-advisories" → "[]") - Zero OSV entries ("api.osv.dev/v1/query" → "{}") - markdown-it's only GHSA (CVE-2022-21670, "Possible ReDOS in newline rule") targets markdown-it's own newline regex, not the linkify pipeline This finding appears novel. Note to maintainers Since "markdown-it" is the dominant consumer and shares maintainership (Vitaly Puzrin), a patched "linkify-it" release should be paired with a "markdown-it" minor that pins the new minimum version.

Publish Date: 2026-07-01

URL: CVE-2026-48801

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-22p9-wv53-3rq4

Release Date: 2026-07-01

Fix Resolution: linkify-it - 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-44705

Vulnerable Library - tmp-0.2.4.tgz

Temporary file and directory creator

Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • tmp-0.2.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

Publish Date: 2026-06-11

URL: CVE-2026-44705

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-27

Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6

Step up your Open Source Security Game with Mend here

CVE-2026-44496

Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz

axios-1.15.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • devkit-22.6.0.tgz
        • nx-22.6.0.tgz
          • axios-1.15.2.tgz (Vulnerable Library)

axios-1.15.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • axios-1.15.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.

Publish Date: 2026-06-11

URL: CVE-2026-44496

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hfxv-24rg-xrqf

Release Date: 2026-06-04

Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0

Step up your Open Source Security Game with Mend here

CVE-2026-44488

Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz

axios-1.15.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • devkit-22.6.0.tgz
        • nx-22.6.0.tgz
          • axios-1.15.2.tgz (Vulnerable Library)

axios-1.15.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • axios-1.15.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.

Publish Date: 2026-06-11

URL: CVE-2026-44488

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-777c-7fjr-54vf

Release Date: 2026-06-04

Fix Resolution: axios - 1.16.0,axios - 1.16.0

Step up your Open Source Security Game with Mend here

CVE-2026-44487

Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz

axios-1.15.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • devkit-22.6.0.tgz
        • nx-22.6.0.tgz
          • axios-1.15.2.tgz (Vulnerable Library)

axios-1.15.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • axios-1.15.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.

Publish Date: 2026-06-11

URL: CVE-2026-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p92q-9vqr-4j8v

Release Date: 2026-06-04

Fix Resolution: axios - 1.16.0,axios - 0.32.0,axios - 1.16.0,axios - 0.32.0

Step up your Open Source Security Game with Mend here

CVE-2026-44486

Vulnerable Libraries - axios-1.15.2.tgz, axios-1.15.0.tgz

axios-1.15.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • devkit-22.6.0.tgz
        • nx-22.6.0.tgz
          • axios-1.15.2.tgz (Vulnerable Library)

axios-1.15.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • axios-1.15.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.

Publish Date: 2026-06-11

URL: CVE-2026-44486

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j5f8-grm9-p9fc

Release Date: 2026-06-04

Fix Resolution: axios - 0.32.0,axios - 1.16.0,axios - 1.16.0,axios - 0.32.0

Step up your Open Source Security Game with Mend here

CVE-2026-33671

Vulnerable Library - picomatch-4.0.2.tgz

Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • js-22.6.0.tgz
        • picomatch-4.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.

Publish Date: 2026-03-26

URL: CVE-2026-33671

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2

Step up your Open Source Security Game with Mend here

CVE-2026-13676

Vulnerable Library - fast-uri-3.1.0.tgz

Dependency-free RFC 3986 URI toolbox

Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • workspace-tools-1.295.61.tgz
      • api-extractor-7.58.7.tgz
        • tsdoc-config-0.18.1.tgz
          • ajv-8.18.0.tgz
            • fast-uri-3.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

Publish Date: 2026-06-29

URL: CVE-2026-13676

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4c8g-83qw-93j6

Release Date: 2026-06-29

Fix Resolution: fast-uri - 3.1.3,fast-uri - 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-13149

Vulnerable Libraries - brace-expansion-5.0.2.tgz, brace-expansion-5.0.5.tgz

brace-expansion-5.0.2.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • brace-expansion-5.0.2.tgz (Vulnerable Library)

brace-expansion-5.0.5.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • devkit-22.7.1.tgz
      • minimatch-10.2.4.tgz
        • brace-expansion-5.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.

Publish Date: 2026-06-30

URL: CVE-2026-13149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-30

Fix Resolution: brace-expansion - 5.0.7,https://github.com/juliangruber/brace-expansion.git - v5.0.7

Step up your Open Source Security Game with Mend here

CVE-2026-12143

Vulnerable Library - form-data-4.0.5.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @⁠stryke/tools-nx-0.0.1.tgz (Root Library)
    • nx-22.7.1.tgz
      • form-data-4.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the "field" argument to "FormData#append" and the "filename" option are concatenated verbatim into the "Content-Disposition" header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set "is_admin=true") seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and """ as "%0D", "%0A", and "%22" in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Publish Date: 2026-06-12

URL: CVE-2026-12143

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjwh-7mfq-fhwh

Release Date: 2026-06-12

Fix Resolution: form-data - 3.0.5,form-data - 2.5.6,form-data - 4.0.6

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions