discord.js-14.18.0.tgz: 3 vulnerabilities (highest severity is: 7.2) #453
Description
Vulnerable Library - discord.js-14.18.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (discord.js version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-13465 |  High |
7.2 | lodash-4.17.21.tgz | Transitive | N/A* | ❌ |
| CVE-2026-22036 |  Medium |
5.9 | undici-6.21.1.tgz | Transitive | 15.0.0-core-gateway-rl.1762368996-5fa92a1ea | ✅ |
| CVE-2025-47279 |  Low |
3.1 | undici-6.21.1.tgz | Transitive | 14.20.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- builders-1.10.1.tgz
- shapeshift-4.0.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
- shapeshift-4.0.0.tgz
- builders-1.10.1.tgz
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash - 4.17.23,lodash-amd - 4.17.23,lodash-es - 4.17.23
CVE-2026-22036
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 6.23.0
Direct dependency fix Resolution (discord.js): 15.0.0-core-gateway-rl.1762368996-5fa92a1ea
In order to enable automatic remediation, please create workflow rules
CVE-2025-47279
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Publish Date: 2025-05-15
URL: CVE-2025-47279
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxrh-j4jr-qwg3
Release Date: 2025-05-15
Fix Resolution (undici): 6.21.2
Direct dependency fix Resolution (discord.js): 14.20.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules