probot-13.1.2.tgz: 4 vulnerabilities (highest severity is: 5.3) #25
Labels
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
[Catch All Triage - 1, 2, 3] |
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
mend-for-github-com
bot
changed the title
1 task
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: abfeaa14394987823c352045d9a625fc5fc1f1c2
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - request-8.2.0.tgz
Library home page: https://registry.npmjs.org/@octokit/request/-/request-8.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: abfeaa14394987823c352045d9a625fc5fc1f1c2
Found in base branch: main
Vulnerability Details
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to version 9.2.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Version 9.2.1 fixes the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25290
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rmvr-2pp2-xj38
Release Date: 2025-02-14
Fix Resolution: @octokit/request - 9.2.1
Vulnerable Library - request-error-5.0.1.tgz
Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-5.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: abfeaa14394987823c352045d9a625fc5fc1f1c2
Found in base branch: main
Vulnerability Details
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25289
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-02-14
Fix Resolution: @octokit/request-error - 5.1.1,6.1.7
Vulnerable Library - plugin-paginate-rest-9.2.1.tgz
Library home page: https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-9.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: abfeaa14394987823c352045d9a625fc5fc1f1c2
Found in base branch: main
Vulnerability Details
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package "@octokit/plugin-paginate-rest", when calling "octokit.paginate.iterator()", a specially crafted "octokit" instance—particularly with a malicious "link" parameter in the "headers" section of the "request"—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h5c3-5r3r-rr8q
Release Date: 2025-02-14
Fix Resolution: @octokit/plugin-paginate-rest - 11.4.1
Vulnerable Library - endpoint-9.0.4.tgz
Library home page: https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: abfeaa14394987823c352045d9a625fc5fc1f1c2
Found in base branch: main
Vulnerability Details
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific "options" parameters, the "endpoint.parse(options)" call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the "parse" function within the "parse.ts" file of the npm package "@octokit/endpoint". Version 10.1.3 contains a patch for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25285
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-x4c5-c7rf-jjgv
Release Date: 2025-02-14
Fix Resolution: @octokit/endpoint - 9.0.6,10.1.3
The text was updated successfully, but these errors were encountered: