Vulnerable Library - @kleros/vea-relayer-cli-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-27699
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/basic-ftp-npm-5.0.5-4f7972e368-3dc56b2092.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- agent-2.1.1.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.2.0.tgz
- get-uri-6.0.4.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
The "basic-ftp" FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the "downloadToDir()" method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ("../") that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27699
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-26318
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- pm2-sysmonit-1.2.8.tgz
- ❌ systeminformation-5.25.11.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized "locate" output in "versions()". Version 5.31.0 fixes the issue.
Publish Date: 2026-02-19
URL: CVE-2026-26318
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5vv4-hvf7-2h46
Release Date: 2026-02-19
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.31.0
Step up your Open Source Security Game with Mend here
CVE-2026-23950
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- ❌ tar-7.4.3.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4
Step up your Open Source Security Game with Mend here
CVE-2026-39983
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/basic-ftp-npm-5.0.5-4f7972e368-3dc56b2092.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- agent-2.1.1.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.2.0.tgz
- get-uri-6.0.4.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Publish Date: 2026-04-09
URL: CVE-2026-39983
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.1
Step up your Open Source Security Game with Mend here
CVE-2026-26280
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- pm2-sysmonit-1.2.8.tgz
- ❌ systeminformation-5.25.11.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the "wifiNetworks()" function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In "lib/wifi.js", the "wifiNetworks()" function sanitizes the "iface" parameter on the initial call (line 437). However, when the initial scan returns empty results, a "setTimeout" retry (lines 440-441) calls "getWifiNetworkListIw(iface)" with the original unsanitized "iface" value, which is passed directly to "execSync('iwlist ${iface} scan')". Any application passing user-controlled input to "si.wifiNetworks()" is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-19
URL: CVE-2026-26280
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-19
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.30.8
Step up your Open Source Security Game with Mend here
CVE-2026-24842
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- ❌ tar-7.4.3.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution: tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7
Step up your Open Source Security Game with Mend here
CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/lodash-npm-4.17.21-6382451519-c08619c038.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- ethers-v6-0.5.1.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
CVE-2025-68154
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- pm2-sysmonit-1.2.8.tgz
- ❌ systeminformation-5.25.11.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the "fsSize()" function in systeminformation is vulnerable to OS command injection on Windows systems. The optional "drive" parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to "fsSize()", it is not vulnerable. Version 5.27.14 contains a patch.
Publish Date: 2025-12-16
URL: CVE-2025-68154
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.27.14,systeminformation - 5.27.14
Step up your Open Source Security Game with Mend here
CVE-2026-41324
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/basic-ftp-npm-5.0.5-4f7972e368-3dc56b2092.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- agent-2.1.1.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.2.0.tgz
- get-uri-6.0.4.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to "Client.list()", causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41324
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rp42-5vxx-qpwr
Release Date: 2026-04-24
Fix Resolution: basic-ftp - 5.3.0
Step up your Open Source Security Game with Mend here
CVE-2026-33671
Vulnerable Libraries - picomatch-2.3.1.tgz, picomatch-4.0.2.tgz
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/picomatch-npm-2.3.1-c782cfd986-60c2595003.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- readdirp-3.6.0.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
picomatch-4.0.2.tgz
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/picomatch-npm-4.0.2-e93516ddf2-ce617b8da3.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- tinyglobby-0.2.13.tgz
- ❌ picomatch-4.0.2.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-27904
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-27903
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v6.2.2
Step up your Open Source Security Game with Mend here
CVE-2026-26996
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-64756
Vulnerable Library - glob-10.4.5.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/glob-npm-10.4.5-8c63175f05-698dfe1182.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- ❌ glob-10.4.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-11-17
URL: CVE-2025-64756
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
Step up your Open Source Security Game with Mend here
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/lodash-npm-4.17.21-6382451519-c08619c038.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- ethers-v6-0.5.1.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
CVE-2026-31802
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- ❌ tar-7.4.3.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Step up your Open Source Security Game with Mend here
CVE-2026-29786
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- ❌ tar-7.4.3.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Step up your Open Source Security Game with Mend here
CVE-2026-26960
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- ❌ tar-7.4.3.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
Step up your Open Source Security Game with Mend here
CVE-2026-23745
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- ❌ tar-7.4.3.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
CVE-2026-33750
Vulnerable Library - brace-expansion-2.0.1.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/brace-expansion-npm-2.0.1-17aa2616f9-a61e7cd2e8.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- glob-10.4.5.tgz
- minimatch-9.0.5.tgz
- ❌ brace-expansion-2.0.1.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13,https://github.com/juliangruber/brace-expansion.git - v3.0.2,https://github.com/juliangruber/brace-expansion.git - v2.0.3
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/basic-ftp-npm-5.0.5-4f7972e368-3dc56b2092.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
The "basic-ftp" FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the "downloadToDir()" method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ("../") that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27699
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized "locate" output in "versions()". Version 5.31.0 fixes the issue.
Publish Date: 2026-02-19
URL: CVE-2026-26318
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5vv4-hvf7-2h46
Release Date: 2026-02-19
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.31.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/basic-ftp-npm-5.0.5-4f7972e368-3dc56b2092.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Publish Date: 2026-04-09
URL: CVE-2026-39983
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the "wifiNetworks()" function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In "lib/wifi.js", the "wifiNetworks()" function sanitizes the "iface" parameter on the initial call (line 437). However, when the initial scan returns empty results, a "setTimeout" retry (lines 440-441) calls "getWifiNetworkListIw(iface)" with the original unsanitized "iface" value, which is passed directly to "execSync('iwlist ${iface} scan')". Any application passing user-controlled input to "si.wifiNetworks()" is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-19
URL: CVE-2026-26280
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-19
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.30.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution: tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/lodash-npm-4.17.21-6382451519-c08619c038.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the "fsSize()" function in systeminformation is vulnerable to OS command injection on Windows systems. The optional "drive" parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to "fsSize()", it is not vulnerable. Version 5.27.14 contains a patch.
Publish Date: 2025-12-16
URL: CVE-2025-68154
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.27.14,systeminformation - 5.27.14
Step up your Open Source Security Game with Mend here
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/basic-ftp-npm-5.0.5-4f7972e368-3dc56b2092.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to "Client.list()", causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41324
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rp42-5vxx-qpwr
Release Date: 2026-04-24
Fix Resolution: basic-ftp - 5.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - picomatch-2.3.1.tgz, picomatch-4.0.2.tgz
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/picomatch-npm-2.3.1-c782cfd986-60c2595003.zip
Dependency Hierarchy:
picomatch-4.0.2.tgz
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/picomatch-npm-4.0.2-e93516ddf2-ce617b8da3.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 4.2.5,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 3.1.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v6.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-10.4.5.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/glob-npm-10.4.5-8c63175f05-698dfe1182.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-11-17
URL: CVE-2025-64756
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/lodash-npm-4.17.21-6382451519-c08619c038.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-7.4.3.tgz
Library home page: https://registry.npmjs.org/tar/-/tar-7.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/tar-npm-7.4.3-1dbbd1ffc3-12a2a4fc6d.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - brace-expansion-2.0.1.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/brace-expansion-npm-2.0.1-17aa2616f9-a61e7cd2e8.zip
Dependency Hierarchy:
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13,https://github.com/juliangruber/brace-expansion.git - v3.0.2,https://github.com/juliangruber/brace-expansion.git - v2.0.3
Step up your Open Source Security Game with Mend here