📂 Vulnerable Library - @freecodecamp/api-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /api/package.json
Partial results (30 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
| CVE-2023-42282 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
ip-2.0.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-29415 |
🟣 Critical |
9.3 |
Not Defined |
86.5% |
ip-2.0.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-25896 |
🟣 Critical |
9.2 |
Not Defined |
< 1% |
fast-xml-parser-4.2.5.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-22037 |
🔴 High |
8.9 |
Not Defined |
< 1% |
express-2.3.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-4068 |
🔴 High |
8.7 |
Not Defined |
< 1% |
braces-3.0.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-41818 |
🔴 High |
8.7 |
Not Defined |
< 1% |
fast-xml-parser-4.2.5.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-65945 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jws-3.2.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-25223 |
🔴 High |
8.7 |
Not Defined |
< 1% |
fastify-4.26.1.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-26278 |
🔴 High |
8.7 |
Not Defined |
< 1% |
fast-xml-parser-4.2.5.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-26996 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-3.1.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-26996 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-5.1.6.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-35220 |
🔴 High |
8.3 |
Not Defined |
< 1% |
session-10.7.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-12758 |
🔴 High |
7.7 |
Not Defined |
< 1% |
validator-13.11.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-13033 |
🔴 High |
7.7 |
Not Defined |
< 1% |
nodemailer-6.9.10.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-14874 |
🔴 High |
7.7 |
Not Defined |
< 1% |
nodemailer-6.9.10.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-22207 |
🟠 Medium |
6.9 |
Not Defined |
14.4% |
swagger-ui-1.10.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-45813 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
find-my-way-8.1.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-47764 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
cookie-0.5.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-13465 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-27789 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
runtime-7.23.1.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-15284 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
qs-6.11.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-2391 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
qs-6.11.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-25224 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
fastify-4.26.1.tgz |
Transitive |
N/A |
❌ |
| CVE-2022-25883 |
🟠 Medium |
5.5 |
Proof of concept |
< 1% |
semver-7.0.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2026-2739 |
🟠 Medium |
5.5 |
Not Defined |
< 1% |
bn.js-4.12.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-29041 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
express-4.18.2.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-55565 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
nanoid-3.3.4.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-56200 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
validator-13.11.0.tgz |
Transitive |
N/A |
❌ |
| CVE-2021-32050 |
🟠 Medium |
5.1 |
Not Defined |
< 1% |
mongodb-3.6.9.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-43796 |
🟡 Low |
2.3 |
Not Defined |
< 1% |
express-4.18.2.tgz |
Transitive |
N/A |
❌ |
Details
🟣CVE-2023-42282
Vulnerable Library - ip-2.0.0.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- mongodb-4.17.2.tgz
- socks-2.7.1.tgz
- ❌ ip-2.0.0.tgz (Vulnerable Library)
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: Feb 08, 2024 12:00 AM
URL: CVE-2023-42282
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: Feb 08, 2024 12:00 AM
Fix Resolution : ip - 1.1.9,2.0.1
🟣CVE-2024-29415
Vulnerable Library - ip-2.0.0.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- mongodb-4.17.2.tgz
- socks-2.7.1.tgz
- ❌ ip-2.0.0.tgz (Vulnerable Library)
Vulnerability Details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.
Publish Date: May 27, 2024 08:04 PM
URL: CVE-2024-29415
Threat Assessment
Exploit Maturity:Not Defined
EPSS:86.5%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-29415
Release Date: May 27, 2024 08:15 PM
Fix Resolution : no_fix
🟣CVE-2026-25896
Vulnerable Library - fast-xml-parser-4.2.5.tgz
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- client-ses-3.521.0.tgz
- ❌ fast-xml-parser-4.2.5.tgz (Vulnerable Library)
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 08:57 PM
URL: CVE-2026-25896
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.2
Suggested Fix
Type: Upgrade version
Origin: NaturalIntelligence/fast-xml-parser@ddcd0ac
Release Date: Feb 20, 2026 08:57 PM
Fix Resolution : https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.5
🔴CVE-2026-22037
Vulnerable Library - express-2.3.0.tgz
Library home page: https://registry.npmjs.org/@fastify/express/-/express-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ express-2.3.0.tgz (Vulnerable Library)
Vulnerability Details
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., "/%61dmin" instead of "/admin"). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.
Publish Date: Jan 19, 2026 04:48 PM
URL: CVE-2026-22037
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.9
Suggested Fix
Type: Upgrade version
Origin: fastify/fastify-express@dc02a3f
Release Date: Jan 19, 2026 04:48 PM
Fix Resolution : https://github.com/fastify/fastify-express.git - v4.0.3
🔴CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: May 13, 2024 10:06 AM
URL: CVE-2024-4068
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: micromatch/braces#37
Release Date: May 13, 2024 10:06 AM
Fix Resolution : braces - 3.0.3
🔴CVE-2024-41818
Vulnerable Library - fast-xml-parser-4.2.5.tgz
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- client-ses-3.521.0.tgz
- ❌ fast-xml-parser-4.2.5.tgz (Vulnerable Library)
Vulnerability Details
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
Publish Date: Jul 29, 2024 03:56 PM
URL: CVE-2024-41818
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-41818
Release Date: Jul 29, 2024 03:56 PM
Fix Resolution : fast-xml-parser - 4.4.1,org.webjars.npm:fast-xml-parser:4.4.1
🔴CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: Dec 04, 2025 06:45 PM
URL: CVE-2025-65945
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: Dec 04, 2025 06:45 PM
Fix Resolution : jws - 4.0.1,https://github.com/auth0/node-jws.git - v3.2.3,jws - 3.2.3,https://github.com/auth0/node-jws.git - v4.0.1
🔴CVE-2026-25223
Vulnerable Library - fastify-4.26.1.tgz
Library home page: https://registry.npmjs.org/fastify/-/fastify-4.26.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ fastify-4.26.1.tgz (Vulnerable Library)
Vulnerability Details
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
Publish Date: Feb 03, 2026 09:21 PM
URL: CVE-2026-25223
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: fastify/fastify@32d7b6a
Release Date: Feb 03, 2026 12:00 AM
Fix Resolution : https://github.com/fastify/fastify.git - v5.7.2
🔴CVE-2026-26278
Vulnerable Library - fast-xml-parser-4.2.5.tgz
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- client-ses-3.521.0.tgz
- ❌ fast-xml-parser-4.2.5.tgz (Vulnerable Library)
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by "processEntities: false" option.
Publish Date: Feb 19, 2026 07:40 PM
URL: CVE-2026-26278
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jmr7-xgp7-cmfj
Release Date: Feb 17, 2026 11:12 PM
Fix Resolution : https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.6,fast-xml-parser - 5.3.6
🔴CVE-2026-26996
Vulnerable Library - minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- glob-7.2.3.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- nodemon-2.0.22.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- loopback-datasource-juggler-3.36.1.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
🔴CVE-2026-26996
Vulnerable Library - minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
🔴CVE-2024-35220
Vulnerable Library - session-10.7.0.tgz
Library home page: https://registry.npmjs.org/@fastify/session/-/session-10.7.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ session-10.7.0.tgz (Vulnerable Library)
Vulnerability Details
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the "expires" field is overriden if the "maxAge" field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.
Publish Date: May 21, 2024 08:26 PM
URL: CVE-2024-35220
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-12758
Vulnerable Library - validator-13.11.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.11.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- ❌ validator-13.11.0.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ validator-13.11.0.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- express-validator-6.14.1.tgz
- ❌ validator-13.11.0.tgz (Vulnerable Library)
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22
🔴CVE-2025-13033
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Publish Date: Nov 14, 2025 07:37 PM
URL: CVE-2025-13033
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@1150d99
Release Date: Nov 14, 2025 07:37 PM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.7,nodemailer - 7.0.7
🔴CVE-2025-14874
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Publish Date: Dec 18, 2025 08:40 AM
URL: CVE-2025-14874
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@b61b9c0
Release Date: Dec 18, 2025 09:15 AM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.11,nodemailer - 7.0.11
🟠CVE-2024-22207
Vulnerable Library - swagger-ui-1.10.2.tgz
Library home page: https://registry.npmjs.org/@fastify/swagger-ui/-/swagger-ui-1.10.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ swagger-ui-1.10.2.tgz (Vulnerable Library)
Vulnerability Details
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of "@fastify/swagger-ui" without "baseDir" set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the "baseDir" option can also work around this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 15, 2024 03:40 PM
URL: CVE-2024-22207
Threat Assessment
Exploit Maturity:Not Defined
EPSS:14.4%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-45813
Vulnerable Library - find-my-way-8.1.0.tgz
Library home page: https://registry.npmjs.org/find-my-way/-/find-my-way-8.1.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- fastify-4.26.1.tgz
- ❌ find-my-way-8.1.0.tgz (Vulnerable Library)
Vulnerability Details
find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a "-" at the end, like "/:a-:b-". This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Sep 18, 2024 04:47 PM
URL: CVE-2024-45813
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-47764
Vulnerable Library - cookie-0.5.0.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
🟠CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- babel-plugin-lodash-3.3.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@freecodecamp/challenge-parser-0.0.1.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-connector-mongodb-4.2.0.tgz
- loopback-connector-4.11.1.tgz
- strong-globalize-5.1.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-27789
Vulnerable Library - runtime-7.23.1.tgz
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.23.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- date-fns-2.30.0.tgz
- ❌ runtime-7.23.1.tgz (Vulnerable Library)
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: Mar 11, 2025 07:09 PM
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: Mar 11, 2025 07:09 PM
Fix Resolution : @babel/runtime - 8.0.0-alpha.17,@babel/helpers - 8.0.0-alpha.17,@babel/runtime-corejs3 - 8.0.0-alpha.17,@babel/runtime-corejs3 - 7.26.10,https://github.com/babel/babel.git - v7.26.10,@babel/runtime-corejs2 - 8.0.0-alpha.17,@babel/runtime - 7.26.10,@babel/helpers - 7.26.10,@babel/runtime-corejs2 - 7.26.10
🟠CVE-2025-15284
Vulnerable Library - qs-6.11.2.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.11.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- gatsby-telemetry-2.15.0.tgz
- git-up-4.0.5.tgz
- parse-url-6.0.5.tgz
- parse-path-4.0.4.tgz
- ❌ qs-6.11.2.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- stripe-8.222.0.tgz
- ❌ qs-6.11.2.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- strong-remoting-3.17.0.tgz
- ❌ qs-6.11.2.tgz (Vulnerable Library)
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
Summary
The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.
Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly.
Details
The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoC
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
Impact
Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.
Publish Date: Dec 29, 2025 10:56 PM
URL: CVE-2025-15284
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: Dec 29, 2025 11:15 PM
Fix Resolution : qs - 6.14.1,qs - 6.14.1,https://github.com/ljharb/qs.git - v6.14.1
🟠CVE-2026-2391
Vulnerable Library - qs-6.11.2.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.11.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- gatsby-telemetry-2.15.0.tgz
- git-up-4.0.5.tgz
- parse-url-6.0.5.tgz
- parse-path-4.0.4.tgz
- ❌ qs-6.11.2.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- stripe-8.222.0.tgz
- ❌ qs-6.11.2.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- strong-remoting-3.17.0.tgz
- ❌ qs-6.11.2.tgz (Vulnerable Library)
Vulnerability Details
Summary
The "arrayLimit" option in qs does not enforce limits for comma-separated values when "comma: true" is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Details
When the "comma" option is set to "true" (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., "?param=a,b,c" becomes "['a', 'b', 'c']"). However, the limit check for "arrayLimit" (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in "parseArrayValue", enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
The "split(',')" returns the array immediately, skipping the subsequent limit check. Downstream merging via "utils.combine" does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., "?param=,,,,,,,,..."), allocating massive arrays in memory without triggering limits. It bypasses the intent of "arrayLimit", which is enforced correctly for indexed ("a[0]=") and bracket ("a[]=") notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
const result = qs.parse(payload, options);
console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
console.log('Limit enforced:', e.message); // Not thrown
}
Configuration:
- "comma: true"
- "arrayLimit: 5"
- "throwOnLimitExceeded: true"
Expected: Throws "Array limit exceeded" error.
Actual: Parses successfully, creating an array of length 26.
Impact
Denial of Service (DoS) via memory exhaustion.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 12, 2026 04:39 AM
URL: CVE-2026-2391
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7fw-mjwx-w883
Release Date: Feb 12, 2026 04:39 AM
Fix Resolution : qs - 6.14.2,https://github.com/ljharb/qs.git - v6.14.2
🟠CVE-2026-25224
Vulnerable Library - fastify-4.26.1.tgz
Library home page: https://registry.npmjs.org/fastify/-/fastify-4.26.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ fastify-4.26.1.tgz (Vulnerable Library)
Vulnerability Details
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
Publish Date: Feb 03, 2026 09:21 PM
URL: CVE-2026-25224
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-mrq3-vjjr-p77c
Release Date: Feb 03, 2026 12:00 AM
Fix Resolution : https://github.com/fastify/fastify.git - v5.7.3,fastify - 5.7.3
🟠CVE-2022-25883
Vulnerable Library - semver-7.0.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 21, 2023 05:00 AM
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: Jun 21, 2023 05:00 AM
Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
🟠CVE-2026-2739
Vulnerable Library - bn.js-4.12.0.tgz
Big number implementation in pure javascript
Library home page: https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Publish Date: Feb 20, 2026 05:00 AM
URL: CVE-2026-2739
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: indutny/bn.js@33df26b
Release Date: Feb 20, 2026 05:00 AM
Fix Resolution : https://github.com/indutny/bn.js.git - v5.2.3
🟠CVE-2024-29041
Vulnerable Library - express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- graphql-playground-middleware-express-1.7.23.tgz
- ❌ express-4.18.2.tgz (Vulnerable Library)
-
@freecodecamp/challenge-editor-1.0.0.tgz (Root Library)
- ❌ express-4.18.2.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- express-2.3.0.tgz
- ❌ express-4.18.2.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- ❌ express-4.18.2.tgz (Vulnerable Library)
Vulnerability Details
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode "using "encodeurl"" (https://github.com/pillarjs/encodeurl) on the contents before passing it to the "location" header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is "res.location()" but this is also called from within "res.redirect()". The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 08:20 PM
URL: CVE-2024-29041
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: Mar 25, 2024 08:20 PM
Fix Resolution : express - 4.19.0
🟠CVE-2024-55565
Vulnerable Library - nanoid-3.3.4.tgz
A tiny (116 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: Dec 09, 2024 12:00 AM
URL: CVE-2024-55565
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-55565
Release Date: Dec 09, 2024 12:00 AM
Fix Resolution : nanoid - 3.3.8,5.0.9,nanoid - 5.0.9,nanoid - 3.3.8,https://github.com/ai/nanoid.git - 3.3.8,https://github.com/ai/nanoid.git - 5.0.9
🟠CVE-2025-56200
Vulnerable Library - validator-13.11.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.11.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- ❌ validator-13.11.0.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- ❌ validator-13.11.0.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- express-validator-6.14.1.tgz
- ❌ validator-13.11.0.tgz (Vulnerable Library)
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: Sep 30, 2025 12:00 AM
URL: CVE-2025-56200
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2021-32050
Vulnerable Library - mongodb-3.6.9.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-3.6.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 29, 2023 03:24 PM
URL: CVE-2021-32050
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟡CVE-2024-43796
Vulnerable Library - express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- graphql-playground-middleware-express-1.7.23.tgz
- ❌ express-4.18.2.tgz (Vulnerable Library)
-
@freecodecamp/challenge-editor-1.0.0.tgz (Root Library)
- ❌ express-4.18.2.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- express-2.3.0.tgz
- ❌ express-4.18.2.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- ❌ express-4.18.2.tgz (Vulnerable Library)
Vulnerability Details
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: Sep 10, 2024 02:36 PM
URL: CVE-2024-43796
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: Sep 10, 2024 02:36 PM
Fix Resolution : express - 4.20.0,5.0.0
📂 Vulnerable Library - @freecodecamp/api-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /api/package.json
Findings
Details
🟣CVE-2023-42282
Vulnerable Library - ip-2.0.0.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: Feb 08, 2024 12:00 AM
URL: CVE-2023-42282
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: Feb 08, 2024 12:00 AM
Fix Resolution : ip - 1.1.9,2.0.1
🟣CVE-2024-29415
Vulnerable Library - ip-2.0.0.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.
Publish Date: May 27, 2024 08:04 PM
URL: CVE-2024-29415
Threat Assessment
Exploit Maturity:Not Defined
EPSS:86.5%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-29415
Release Date: May 27, 2024 08:15 PM
Fix Resolution : no_fix
🟣CVE-2026-25896
Vulnerable Library - fast-xml-parser-4.2.5.tgz
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 08:57 PM
URL: CVE-2026-25896
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.2
Suggested Fix
Type: Upgrade version
Origin: NaturalIntelligence/fast-xml-parser@ddcd0ac
Release Date: Feb 20, 2026 08:57 PM
Fix Resolution : https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.5
🔴CVE-2026-22037
Vulnerable Library - express-2.3.0.tgz
Library home page: https://registry.npmjs.org/@fastify/express/-/express-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., "/%61dmin" instead of "/admin"). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.
Publish Date: Jan 19, 2026 04:48 PM
URL: CVE-2026-22037
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.9
Suggested Fix
Type: Upgrade version
Origin: fastify/fastify-express@dc02a3f
Release Date: Jan 19, 2026 04:48 PM
Fix Resolution : https://github.com/fastify/fastify-express.git - v4.0.3
🔴CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: May 13, 2024 10:06 AM
URL: CVE-2024-4068
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: micromatch/braces#37
Release Date: May 13, 2024 10:06 AM
Fix Resolution : braces - 3.0.3
🔴CVE-2024-41818
Vulnerable Library - fast-xml-parser-4.2.5.tgz
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
Publish Date: Jul 29, 2024 03:56 PM
URL: CVE-2024-41818
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-41818
Release Date: Jul 29, 2024 03:56 PM
Fix Resolution : fast-xml-parser - 4.4.1,org.webjars.npm:fast-xml-parser:4.4.1
🔴CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: Dec 04, 2025 06:45 PM
URL: CVE-2025-65945
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: Dec 04, 2025 06:45 PM
Fix Resolution : jws - 4.0.1,https://github.com/auth0/node-jws.git - v3.2.3,jws - 3.2.3,https://github.com/auth0/node-jws.git - v4.0.1
🔴CVE-2026-25223
Vulnerable Library - fastify-4.26.1.tgz
Library home page: https://registry.npmjs.org/fastify/-/fastify-4.26.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
Publish Date: Feb 03, 2026 09:21 PM
URL: CVE-2026-25223
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: fastify/fastify@32d7b6a
Release Date: Feb 03, 2026 12:00 AM
Fix Resolution : https://github.com/fastify/fastify.git - v5.7.2
🔴CVE-2026-26278
Vulnerable Library - fast-xml-parser-4.2.5.tgz
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by "processEntities: false" option.
Publish Date: Feb 19, 2026 07:40 PM
URL: CVE-2026-26278
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jmr7-xgp7-cmfj
Release Date: Feb 17, 2026 11:12 PM
Fix Resolution : https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.6,fast-xml-parser - 5.3.6
🔴CVE-2026-26996
Vulnerable Library - minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
🔴CVE-2026-26996
Vulnerable Library - minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
🔴CVE-2024-35220
Vulnerable Library - session-10.7.0.tgz
Library home page: https://registry.npmjs.org/@fastify/session/-/session-10.7.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the "expires" field is overriden if the "maxAge" field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.
Publish Date: May 21, 2024 08:26 PM
URL: CVE-2024-35220
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-12758
Vulnerable Library - validator-13.11.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.11.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22
🔴CVE-2025-13033
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Publish Date: Nov 14, 2025 07:37 PM
URL: CVE-2025-13033
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@1150d99
Release Date: Nov 14, 2025 07:37 PM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.7,nodemailer - 7.0.7
🔴CVE-2025-14874
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Publish Date: Dec 18, 2025 08:40 AM
URL: CVE-2025-14874
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@b61b9c0
Release Date: Dec 18, 2025 09:15 AM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.11,nodemailer - 7.0.11
🟠CVE-2024-22207
Vulnerable Library - swagger-ui-1.10.2.tgz
Library home page: https://registry.npmjs.org/@fastify/swagger-ui/-/swagger-ui-1.10.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of "@fastify/swagger-ui" without "baseDir" set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the "baseDir" option can also work around this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 15, 2024 03:40 PM
URL: CVE-2024-22207
Threat Assessment
Exploit Maturity:Not Defined
EPSS:14.4%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-45813
Vulnerable Library - find-my-way-8.1.0.tgz
Library home page: https://registry.npmjs.org/find-my-way/-/find-my-way-8.1.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a "-" at the end, like "/:a-:b-". This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Sep 18, 2024 04:47 PM
URL: CVE-2024-45813
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-47764
Vulnerable Library - cookie-0.5.0.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/challenge-editor-1.0.0.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
🟠CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/challenge-parser-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-27789
Vulnerable Library - runtime-7.23.1.tgz
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.23.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: Mar 11, 2025 07:09 PM
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: Mar 11, 2025 07:09 PM
Fix Resolution : @babel/runtime - 8.0.0-alpha.17,@babel/helpers - 8.0.0-alpha.17,@babel/runtime-corejs3 - 8.0.0-alpha.17,@babel/runtime-corejs3 - 7.26.10,https://github.com/babel/babel.git - v7.26.10,@babel/runtime-corejs2 - 8.0.0-alpha.17,@babel/runtime - 7.26.10,@babel/helpers - 7.26.10,@babel/runtime-corejs2 - 7.26.10
🟠CVE-2025-15284
Vulnerable Library - qs-6.11.2.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.11.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
Summary
The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.
Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly.
Details
The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoC
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
Impact
Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.
Publish Date: Dec 29, 2025 10:56 PM
URL: CVE-2025-15284
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: Dec 29, 2025 11:15 PM
Fix Resolution : qs - 6.14.1,qs - 6.14.1,https://github.com/ljharb/qs.git - v6.14.1
🟠CVE-2026-2391
Vulnerable Library - qs-6.11.2.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.11.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Summary
The "arrayLimit" option in qs does not enforce limits for comma-separated values when "comma: true" is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Details
When the "comma" option is set to "true" (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., "?param=a,b,c" becomes "['a', 'b', 'c']"). However, the limit check for "arrayLimit" (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in "parseArrayValue", enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
The "split(',')" returns the array immediately, skipping the subsequent limit check. Downstream merging via "utils.combine" does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., "?param=,,,,,,,,..."), allocating massive arrays in memory without triggering limits. It bypasses the intent of "arrayLimit", which is enforced correctly for indexed ("a[0]=") and bracket ("a[]=") notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
const result = qs.parse(payload, options);
console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
console.log('Limit enforced:', e.message); // Not thrown
}
Configuration:
Expected: Throws "Array limit exceeded" error.
Actual: Parses successfully, creating an array of length 26.
Impact
Denial of Service (DoS) via memory exhaustion.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 12, 2026 04:39 AM
URL: CVE-2026-2391
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7fw-mjwx-w883
Release Date: Feb 12, 2026 04:39 AM
Fix Resolution : qs - 6.14.2,https://github.com/ljharb/qs.git - v6.14.2
🟠CVE-2026-25224
Vulnerable Library - fastify-4.26.1.tgz
Library home page: https://registry.npmjs.org/fastify/-/fastify-4.26.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
Publish Date: Feb 03, 2026 09:21 PM
URL: CVE-2026-25224
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-mrq3-vjjr-p77c
Release Date: Feb 03, 2026 12:00 AM
Fix Resolution : https://github.com/fastify/fastify.git - v5.7.3,fastify - 5.7.3
🟠CVE-2022-25883
Vulnerable Library - semver-7.0.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 21, 2023 05:00 AM
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: Jun 21, 2023 05:00 AM
Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
🟠CVE-2026-2739
Vulnerable Library - bn.js-4.12.0.tgz
Big number implementation in pure javascript
Library home page: https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
Vulnerability Details
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Publish Date: Feb 20, 2026 05:00 AM
URL: CVE-2026-2739
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: indutny/bn.js@33df26b
Release Date: Feb 20, 2026 05:00 AM
Fix Resolution : https://github.com/indutny/bn.js.git - v5.2.3
🟠CVE-2024-29041
Vulnerable Library - express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/challenge-editor-1.0.0.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode "using "encodeurl"" (https://github.com/pillarjs/encodeurl) on the contents before passing it to the "location" header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is "res.location()" but this is also called from within "res.redirect()". The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 08:20 PM
URL: CVE-2024-29041
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: Mar 25, 2024 08:20 PM
Fix Resolution : express - 4.19.0
🟠CVE-2024-55565
Vulnerable Library - nanoid-3.3.4.tgz
A tiny (116 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: Dec 09, 2024 12:00 AM
URL: CVE-2024-55565
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-55565
Release Date: Dec 09, 2024 12:00 AM
Fix Resolution : nanoid - 3.3.8,5.0.9,nanoid - 5.0.9,nanoid - 3.3.8,https://github.com/ai/nanoid.git - 3.3.8,https://github.com/ai/nanoid.git - 5.0.9
🟠CVE-2025-56200
Vulnerable Library - validator-13.11.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.11.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: Sep 30, 2025 12:00 AM
URL: CVE-2025-56200
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2021-32050
Vulnerable Library - mongodb-3.6.9.tgz
The official MongoDB driver for Node.js
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-3.6.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 29, 2023 03:24 PM
URL: CVE-2021-32050
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟡CVE-2024-43796
Vulnerable Library - express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/challenge-editor-1.0.0.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: Sep 10, 2024 02:36 PM
URL: CVE-2024-43796
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: Sep 10, 2024 02:36 PM
Fix Resolution : express - 4.20.0,5.0.0