Vulnerable Library - sdk-core-0.5.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (sdk-core version) |
Remediation Possible** |
CVE-2023-43646 |
High |
8.6 |
get-func-name-2.0.0.tgz |
Transitive |
N/A* |
โ |
CVE-2024-45590 |
High |
7.5 |
body-parser-1.20.1.tgz |
Transitive |
N/A* |
โ |
CVE-2024-45296 |
High |
7.5 |
path-to-regexp-0.1.7.tgz |
Transitive |
N/A* |
โ |
CVE-2024-37890 |
High |
7.5 |
ws-3.3.3.tgz |
Transitive |
N/A* |
โ |
CVE-2024-21505 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
N/A* |
โ |
CVE-2023-30542 |
Medium |
6.8 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2024-28863 |
Medium |
6.5 |
tar-4.4.19.tgz |
Transitive |
N/A* |
โ |
CVE-2024-27094 |
Medium |
6.5 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2023-46234 |
Medium |
6.5 |
browserify-sign-4.2.1.tgz |
Transitive |
N/A* |
โ |
CVE-2023-26136 |
Medium |
6.5 |
tough-cookie-2.5.0.tgz |
Transitive |
N/A* |
โ |
CVE-2024-29041 |
Medium |
6.1 |
express-4.18.2.tgz |
Transitive |
N/A* |
โ |
CVE-2023-28155 |
Medium |
6.1 |
request-2.88.2.tgz |
Transitive |
N/A* |
โ |
CVE-2023-40014 |
Medium |
5.3 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2023-34459 |
Medium |
5.3 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2023-34234 |
Medium |
5.3 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2023-30541 |
Medium |
5.3 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2022-33987 |
Medium |
5.3 |
got-9.6.0.tgz |
Transitive |
N/A* |
โ |
CVE-2022-25901 |
Medium |
5.3 |
cookiejar-2.1.3.tgz |
Transitive |
N/A* |
โ |
CVE-2022-25883 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
N/A* |
โ |
CVE-2022-25881 |
Medium |
5.3 |
http-cache-semantics-4.1.0.tgz |
Transitive |
N/A* |
โ |
CVE-2020-7608 |
Medium |
5.3 |
yargs-parser-2.4.1.tgz |
Transitive |
N/A* |
โ |
CVE-2024-43796 |
Medium |
5.0 |
express-4.18.2.tgz |
Transitive |
N/A* |
โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-43646
Vulnerable Library - get-func-name-2.0.0.tgz
Utility for getting a function's name for node and the browser
Library home page: https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- web3-helpers-0.5.3.tgz
- test-helpers-0.5.16.tgz
- chai-4.3.6.tgz
- โ get-func-name-2.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit f934b228b
which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-09-26
URL: CVE-2023-43646
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4q6p-r6v2-jvc5
Release Date: 2023-09-27
Fix Resolution: get-func-name - 2.0.1,3.0.0
Step up your Open Source Security Game with Mend here
CVE-2024-45590
Vulnerable Library - body-parser-1.20.1.tgz
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- โ body-parser-1.20.1.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: 2024-09-10
URL: CVE-2024-45590
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qwcr-r2fm-qrc7
Release Date: 2024-09-10
Fix Resolution: body-parser - 1.20.3
Step up your Open Source Security Game with Mend here
CVE-2024-45296
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- express-4.18.2.tgz
- โ path-to-regexp-0.1.7.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution: path-to-regexp - 0.1.10,8.0.0
Step up your Open Source Security Game with Mend here
CVE-2024-37890
Vulnerable Library - ws-3.3.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- โ ws-3.3.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1
Step up your Open Source Security Game with Mend here
CVE-2024-21505
Vulnerable Libraries - web3-utils-1.8.0.tgz, web3-utils-1.7.4.tgz
web3-utils-1.8.0.tgz
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- web3-helpers-0.5.3.tgz
- โ web3-utils-1.8.0.tgz (Vulnerable Library)
web3-utils-1.7.4.tgz
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- โ web3-utils-1.7.4.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-30542
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose
) in GovernorCompatibilityBravo
allows the creation of proposals with a signatures
array shorter than the calldatas
array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated
event correctly represents what will eventually execute, but the proposal parameters as queried through getActions
appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures
and calldatas
parameters.
Publish Date: 2023-04-16
URL: CVE-2023-30542
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-93hq-5wgc-jc82
Release Date: 2023-04-16
Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
CVE-2024-28863
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- โ tar-4.4.19.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
CVE-2024-27094
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode
function encodes a bytes
input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
Publish Date: 2024-02-29
URL: CVE-2024-27094
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2024-02-29
Fix Resolution: @openzeppelin/contracts - 4.9.6,5.0.2, @openzeppelin/contracts-upgradeable - 4.9.6,5.0.2
Step up your Open Source Security Game with Mend here
CVE-2023-46234
Vulnerable Library - browserify-sign-4.2.1.tgz
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- browserify-17.0.0.tgz
- crypto-browserify-3.12.0.tgz
- โ browserify-sign-4.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify
function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
Publish Date: 2023-10-26
URL: CVE-2023-46234
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution: browserify-sign - 4.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-26136
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- request-2.88.2.tgz
- โ tough-cookie-2.5.0.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
Step up your Open Source Security Game with Mend here
CVE-2024-29041
Vulnerable Library - express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- โ express-4.18.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl
on the contents before passing it to the location
header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location()
but this is also called from within res.redirect()
. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: express - 4.19.0
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- โ request-2.88.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-40014
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context
along with a custom trusted forwarder may see _msgSender
return address(0)
in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder
from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.
Publish Date: 2023-08-10
URL: CVE-2023-40014
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g4vp-m682-qqmp
Release Date: 2023-08-10
Fix Resolution: @openzeppelin/contracts - 4.9.3;@openzeppelin/contracts-upgradeable - 4.9.3
Step up your Open Source Security Game with Mend here
CVE-2023-34459
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof
, verifyMultiProofCalldata
, procesprocessMultiProof
, or processMultiProofCalldat
functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.
A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.
A contract is not vulnerable if it uses single-leaf proving (verify
, verifyCalldata
, processProof
, or processProofCalldata
), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.
The problem has been patched in version 4.9.2.
Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.
Publish Date: 2023-06-16
URL: CVE-2023-34459
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-34459
Release Date: 2023-06-16
Fix Resolution: @openzeppelin/contracts - 4.9.2, @openzeppelin/contracts-upgradeable - 4.9.2
Step up your Open Source Security Game with Mend here
CVE-2023-34234
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor
contract in v4.9.0 only, and the GovernorCompatibilityBravo
contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.
Publish Date: 2023-06-07
URL: CVE-2023-34234
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5h3x-9wvq-w4m2
Release Date: 2023-06-07
Fix Resolution: @openzeppelin/contracts-upgradeable - 4.9.1;@openzeppelin/contracts - 4.9.1
Step up your Open Source Security Game with Mend here
CVE-2023-30541
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.
Publish Date: 2023-04-17
URL: CVE-2023-30541
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mx2q-35m2-x2rh
Release Date: 2023-04-17
Fix Resolution: @openzeppelin/contracts - 4.8.3, @openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
CVE-2022-33987
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- โ got-9.6.0.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2022-25901
Vulnerable Library - cookiejar-2.1.3.tgz
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-core-1.7.4.tgz
- web3-core-requestmanager-1.7.4.tgz
- web3-providers-http-1.7.4.tgz
- xhr2-cookies-1.1.0.tgz
- โ cookiejar-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution: cookiejar - 2.1.4
Step up your Open Source Security Game with Mend here
CVE-2022-25883
Vulnerable Libraries - semver-7.3.7.tgz, semver-5.7.1.tgz
semver-7.3.7.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- debug-utils-6.0.39.tgz
- codec-0.14.8.tgz
- โ semver-7.3.7.tgz (Vulnerable Library)
semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- web3-helpers-0.5.3.tgz
- test-helpers-0.5.16.tgz
- โ semver-5.7.1.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Step up your Open Source Security Game with Mend here
CVE-2022-25881
Vulnerable Library - http-cache-semantics-4.1.0.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- got-9.6.0.tgz
- cacheable-request-6.1.0.tgz
- โ http-cache-semantics-4.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1
Step up your Open Source Security Game with Mend here
CVE-2020-7608
Vulnerable Library - yargs-parser-2.4.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- ensjs-2.1.0.tgz
- ens-0.4.5.tgz
- solc-0.4.26.tgz
- yargs-4.8.1.tgz
- โ yargs-parser-2.4.1.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
CVE-2024-43796
Vulnerable Library - express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- โ express-4.18.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: 2024-09-10
URL: CVE-2024-43796
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: 2024-09-10
Fix Resolution: express - 4.20.0,5.0.0
Step up your Open Source Security Game with Mend here