fix #129
fix #129
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-45590
Check Name: body-parser: Denial of Service Vulnerability in body-parser
Severity: HIGH
Fixed Version: 1.20.3
Reachable Path(s) Found: No
Description: body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-45590
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-47764
Check Name: cookie: cookie accepts cookie name, path, and domain with out of bounds characters
Severity: LOW
Fixed Version: 0.7.0
Reachable Path(s) Found: No
Description: cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-47764
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-47764
Check Name: cookie: cookie accepts cookie name, path, and domain with out of bounds characters
Severity: LOW
Fixed Version: 0.7.0
Reachable Path(s) Found: No
Description: cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
(This package is used under: [email protected]>[email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-47764
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2017-16137
Check Name: nodejs-debug: Regular expression Denial of Service
Severity: LOW
Fixed Version: 2.6.9, 3.1.0, 3.2.7, 4.3.1
Reachable Path(s) Found: No
Description: The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2017-16137
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-36048
Check Name: yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport
Severity: HIGH
Fixed Version: 3.6.0
Reachable Path(s) Found: No
Description: Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-36048
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-41940
Check Name: engine.io: Specially crafted HTTP request can trigger an uncaught exception
Severity: MEDIUM
Fixed Version: 3.6.1, 6.2.1
Reachable Path(s) Found: No
Description: Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-41940
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-29041
Check Name: express: cause malformed URLs to be evaluated
Severity: MEDIUM
Fixed Version: 4.19.2, 5.0.0-beta.3
Reachable Path(s) Found: No
Description: Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
(This package is used under: [email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-29041
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-43796
Check Name: express: Improper Input Handling in Express Redirects
Severity: MEDIUM
Fixed Version: 4.20.0, 5.0.0
Reachable Path(s) Found: No
Description: Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
(This package is used under: [email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-43796
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-45296
Check Name: path-to-regexp: Backtracking regular expressions cause ReDoS
Severity: HIGH
Fixed Version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0
Reachable Path(s) Found: No
Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-45296
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-24999
Check Name: express: "qs" prototype poisoning causes the hang of the node process
Severity: HIGH
Fixed Version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4
Reachable Path(s) Found: No
Description: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-24999
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-43799
Check Name: send: Code Execution Vulnerability in Send Library
Severity: MEDIUM
Fixed Version: 0.19.0
Reachable Path(s) Found: No
Description: Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-43799
| "license": "ISC", | ||
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-43800
Check Name: serve-static: Improper Sanitization in serve-static
Severity: MEDIUM
Fixed Version: 1.16.0, 2.1.0
Reachable Path(s) Found: No
Description: serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-43800
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-38355
Check Name: socket.io: Unhandled 'error' event
Severity: HIGH
Fixed Version: 2.5.1, 4.6.2
Reachable Path(s) Found: No
Description: Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in [email protected] (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
(This package is used under: [email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-38355
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-2421
Check Name: Insufficient validation when decoding a Socket.IO packet
Severity: CRITICAL
Fixed Version: 4.0.5, 4.2.1, 3.3.3, 3.4.2
Reachable Path(s) Found: No
Description: Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
(This package is used under: [email protected]>[email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-2421
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2023-32695
Check Name: socket.io parser is a socket.io encoder and decoder written in JavaScr ...
Severity: HIGH
Fixed Version: 4.2.3, 3.4.3, 3.3.4
Reachable Path(s) Found: No
Description: socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
(This package is used under: [email protected]>[email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2023-32695
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-2421
Check Name: Insufficient validation when decoding a Socket.IO packet
Severity: CRITICAL
Fixed Version: 4.0.5, 4.2.1, 3.3.3, 3.4.2
Reachable Path(s) Found: No
Description: Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-2421
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2023-32695
Check Name: socket.io parser is a socket.io encoder and decoder written in JavaScr ...
Severity: HIGH
Fixed Version: 4.2.3, 3.4.3, 3.3.4
Reachable Path(s) Found: No
Description: socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
(This package is used under: [email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2023-32695
| "dependencies": { | ||
| "bad-words": "^3.0.0", | ||
| "express": "^4.17.1", | ||
| "socket.io": "^2.4.0" |
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2024-37890
Check Name: nodejs-ws: denial of service when handling a request with many HTTP headers
Severity: HIGH
Fixed Version: 5.2.4, 6.2.3, 7.5.10, 8.17.1
Reachable Path(s) Found: No
Description: ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
(This package is used under: [email protected]>[email protected]>[email protected])
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2024-37890
No description provided.