Description
Vulnerable Library - workbox-webpack-plugin-6.5.3.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/filelist/node_modules/brace-expansion/package.json,/achilles-frontend/node_modules/filelist/node_modules/brace-expansion/package.json
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (workbox-webpack-plugin version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2022-3517 |  High |
7.5 | Not Defined | 0.4% | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
|
| CVE-2024-47068 |  Medium |
6.1 | Not Defined | 0.0% | rollup-2.74.1.tgz | Transitive | 6.5.4 | ✅ |
|
| CVE-2022-25883 | Medium |
5.3 | Proof of concept | 0.3% | semver-5.7.1.tgz | Transitive | 6.5.4 | ✅ |
|
| CVE-2023-45133 |  Critical |
9.3 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 6.5.4 | ✅ |
|
| CVE-2024-33883 | High |
8.8 | Not Defined | 1.3000001% | ejs-3.1.8.tgz | Transitive | N/A* | ❌ |
|
| CVE-2022-46175 | High |
7.1 | Not Defined | 43.5% | detected in multiple dependencies | Transitive | 6.5.4 | ✅ |
|
| CVE-2025-27789 | Medium |
6.2 | Not Defined | 0.0% | detected in multiple dependencies | Transitive | N/A* | ❌ | |
| CVE-2024-11831 | Medium |
5.4 | Not Defined | 0.0% | serialize-javascript-4.0.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-5889 |  Low |
3.1 | Not Defined | brace-expansion-2.0.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/minimatch/package.json,/achilles-frontend/node_modules/minimatch/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ejs-3.1.8.tgz
- jake-10.8.5.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- jake-10.8.5.tgz
- ejs-3.1.8.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
try-d3-0.1.0/scripts/build.js (Application)
-> try-d3-0.1.0/config/webpack.config.js (Extension)
-> react-dev-utils-12.0.1/ForkTsCheckerWebpackPlugin.js (Extension)
-> fork-ts-checker-webpack-plugin-6.5.2/lib/index.js (Extension)
...
-> fork-ts-checker-webpack-plugin-6.5.2/lib/hooks/tapAfterEnvironmentToPatchWatching.js (Extension)
-> fork-ts-checker-webpack-plugin-6.5.2/lib/watch/InclusiveNodeWatchFileSystem.js (Extension)
-> ❌ minimatch-3.0.4/minimatch.js (Vulnerable Component)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2024-47068
Vulnerable Library - rollup-2.74.1.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-2.74.1.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/rollup/package.json,/achilles-frontend/node_modules/rollup/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- ❌ rollup-2.74.1.tgz (Vulnerable Library)
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
try-d3-0.1.0/config/webpack.config.js (Application)
-> workbox-webpack-plugin-6.5.3/build/index.js (Extension)
-> workbox-webpack-plugin-6.5.3/build/generate-sw.js (Extension)
-> workbox-build-6.5.3/build/lib/bundle.js (Extension)
-> rollup-2.74.1/dist/rollup.js (Extension)
-> rollup-2.74.1/dist/shared/rollup.js (Extension)
-> ❌ rollup-2.74.1/dist/shared/watch.js (Vulnerable Component)
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.
Publish Date: 2024-09-23
URL: CVE-2024-47068
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gcx4-mw62-g8wm
Release Date: 2024-09-23
Fix Resolution (rollup): 2.79.2
Direct dependency fix Resolution (workbox-webpack-plugin): 6.5.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /achilles-frontend/package.json
Path to vulnerable library: /achilles-frontend/node_modules/@babel/core/node_modules/semver/package.json,/baak-vizualization/node_modules/ E93C normalize-package-data/node_modules/semver/package.json,/baak-vizualization/node_modules/@babel/preset-env/node_modules/semver/package.json,/achilles-frontend/node_modules/jsonwebtoken/node_modules/semver/package.json,/baak-dataload-sql/node_modules/jsonwebtoken/node_modules/semver/package.json,/achilles-frontend/node_modules/@babel/preset-env/node_modules/semver/package.json,/baak-vizualization/node_modules/sane/node_modules/semver/package.json,/baak-vizualization/node_modules/find-cache-dir/node_modules/semver/package.json,/achilles-frontend/node_modules/normalize-package-data/node_modules/semver/package.json,/baak-vizualization/node_modules/@babel/plugin-transform-runtime/node_modules/semver/package.json,/baak-vizualization/node_modules/@babel/core/node_modules/semver/package.json,/achilles-frontend/node_modules/sane/node_modules/semver/package.json,/achilles-frontend/node_modules/@babel/plugin-transform-runtime/node_modules/semver/package.json,/achilles-frontend/node_modules/semver-max/node_modules/semver/package.json,/achilles-frontend/node_modules/find-cache-dir/node_modules/semver/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- preset-env-7.12.1.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
- preset-env-7.12.1.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
achilles-frontend-0.1.0/src/components/Chart/index.tsx (Application)
-> semver-existing-max-1.0.0/index.js (Extension)
-> ❌ semver-5.7.1/semver.js (Vulnerable Component)
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.3%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 5.7.2
Direct dependency fix Resolution (workbox-webpack-plugin): 6.5.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-45133
Vulnerable Libraries - traverse-7.13.0.tgz, traverse-7.18.0.tgz
traverse-7.13.0.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.0.tgz
Path to dependency file: /achilles-frontend/package.json
Path to vulnerable library: /achilles-frontend/node_modules/@babel/traverse/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- core-7.12.3.tgz
- ❌ traverse-7.13.0.tgz (Vulnerable Library)
- core-7.12.3.tgz
- workbox-build-6.5.3.tgz
traverse-7.18.0.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.18.0.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/@babel/traverse/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- core-7.12.3.tgz
- ❌ traverse-7.18.0.tgz (Vulnerable Library)
- core-7.12.3.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (workbox-webpack-plugin): 6.5.4
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (workbox-webpack-plugin): 6.5.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-33883
Vulnerable Library - ejs-3.1.8.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.8.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/ejs/package.json,/achilles-frontend/node_modules/ejs/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ❌ ejs-3.1.8.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: 2024-04-28
URL: CVE-2024-33883
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.3000001%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: 2024-04-28
Fix Resolution: ejs - 3.1.10
CVE-2022-46175
Vulnerable Libraries - json5-2.2.0.tgz, json5-2.2.1.tgz
json5-2.2.0.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /achilles-frontend/package.json
Path to vulnerable library: /achilles-frontend/node_modules/@surma/rollup-plugin-off-main-thread/node_modules/json5/package.json,/achilles-frontend/node_modules/@babel/core/node_modules/json5/package.json,/achilles-frontend/node_modules/loader-utils/node_modules/json5/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ❌ json5-2.2.0.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.5.3.tgz
json5-2.2.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/json5/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ❌ json5-2.2.1.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 43.5%
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (workbox-webpack-plugin): 6.5.4
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (workbox-webpack-plugin): 6.5.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-27789
Vulnerable Libraries - helpers-7.13.10.tgz, helpers-7.18.0.tgz, runtime-7.13.10.tgz, runtime-7.12.5.tgz
helpers-7.13.10.tgz
Collection of helper functions used by Babel transforms.
Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.13.10.tgz
Path to dependency file: /achilles-frontend/package.json
Path to vulnerable library: /achilles-frontend/node_modules/@babel/helpers/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- core-7.12.3.tgz
- ❌ helpers-7.13.10.tgz (Vulnerable Library)
- core-7.12.3.tgz
- workbox-build-6.5.3.tgz
helpers-7.18.0.tgz
Collection of helper functions used by Babel transforms.
Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.18.0.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/@babel/helpers/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- core-7.12.3.tgz
- ❌ helpers-7.18.0.tgz (Vulnerable Library)
- core-7.12.3.tgz
- workbox-build-6.5.3.tgz
runtime-7.13.10.tgz
babel's modular runtime helpers
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.13.10.tgz
Path to dependency file: /achilles-frontend/package.json
Path to vulnerable library: /achilles-frontend/node_modules/@babel/runtime/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- ❌ runtime-7.13.10.tgz (Vulnerable Library)
- workbox-build-6.5.3.tgz
runtime-7.12.5.tgz
babel's modular runtime helpers
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.12.5.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/@babel/runtime/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- ❌ runtime-7.12.5.tgz (Vulnerable Library)
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: 2025-03-11
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: 2025-03-11
Fix Resolution: https://github.com/babel/babel.git - v7.26.10
CVE-2024-11831
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /achilles-frontend/package.json
Path to vulnerable library: /achilles-frontend/node_modules/rollup-plugin-terser/node_modules/serialize-javascript/package.json,/baak-vizualization/node_modules/rollup-plugin-terser/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- rollup-plugin-terser-7.0.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
- rollup-plugin-terser-7.0.2.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: 2025-02-10
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: 2025-02-10
Fix Resolution: serialize-javascript - 6.0.2
CVE-2025-5889
Vulnerable Library - brace-expansion-2.0.1.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz
Path to dependency file: /baak-vizualization/package.json
Path to vulnerable library: /baak-vizualization/node_modules/filelist/node_modules/brace-expansion/package.json,/achilles-frontend/node_modules/filelist/node_modules/brace-expansion/package.json
Dependency Hierarchy:
- workbox-webpack-plugin-6.5.3.tgz (Root Library)
- workbox-build-6.5.3.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ejs-3.1.8.tgz
- jake-10.8.5.tgz
- filelist-1.0.4.tgz
- minimatch-5.1.0.tgz
- ❌ brace-expansion-2.0.1.tgz (Vulnerable Library)
- minimatch-5.1.0.tgz
- filelist-1.0.4.tgz
- jake-10.8.5.tgz
- ejs-3.1.8.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.5.3.tgz
Found in HEAD commit: 11d21c5fccd238699f5c2bd3370cb76b77ce750a
Found in base branch: master
Vulnerability Details
A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Publish Date: 2025-06-09
URL: CVE-2025-5889
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
⛑️Automatic Remediation will be attempted for this issue.