π Vulnerable Library - @freecodecamp/api-server-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /api-server/package.json
Partial results (31 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.
Findings
| Finding |
Severity |
π― CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
| CVE-2025-7783 |
π£ Critical |
9.4 |
Not Defined |
< 1% |
form-data-2.3.3.tgz |
Transitive |
N/A |
β |
| CVE-2022-29078 |
π£ Critical |
9.3 |
Not Defined |
93.5% |
ejs-2.7.4.tgz |
Transitive |
N/A |
β |
| WS-2021-0153 |
π£ Critical |
9.3 |
N/A |
N/A |
ejs-2.7.4.tgz |
Transitive |
N/A |
β |
| WS-2022-0280 |
π£ Critical |
9.3 |
N/A |
N/A |
moment-timezone-0.5.33.tgz |
Transitive |
N/A |
β |
| WS-2022-0284 |
π£ Critical |
9.3 |
N/A |
N/A |
moment-timezone-0.5.33.tgz |
Transitive |
N/A |
β |
| CVE-2022-31129 |
π΄ High |
8.7 |
Not Defined |
3.4% |
moment-2.29.3.tgz |
Transitive |
N/A |
β |
| CVE-2024-33883 |
π΄ High |
8.7 |
Not Defined |
1.3000001% |
ejs-3.1.9.tgz |
Transitive |
N/A |
β |
| CVE-2024-33883 |
π΄ High |
8.7 |
Not Defined |
1.3000001% |
ejs-2.7.4.tgz |
Transitive |
N/A |
β |
| CVE-2024-45590 |
π΄ High |
8.7 |
Not Defined |
1.4000001% |
body-parser-1.20.0.tgz |
Transitive |
N/A |
β |
| CVE-2025-65945 |
π΄ High |
8.7 |
Not Defined |
< 1% |
jws-3.2.2.tgz |
Transitive |
N/A |
β |
| CVE-2026-25639 |
π΄ High |
8.7 |
Not Defined |
< 1% |
axios-0.23.0.tgz |
Transitive |
N/A |
β |
| CVE-2026-25639 |
π΄ High |
8.7 |
Not Defined |
< 1% |
axios-0.22.0.tgz |
Transitive |
N/A |
β |
| CVE-2026-26996 |
π΄ High |
8.7 |
Not Defined |
< 1% |
minimatch-3.1.2.tgz |
Transitive |
N/A |
β |
| CVE-2026-26996 |
π΄ High |
8.7 |
Not Defined |
< 1% |
minimatch-5.1.6.tgz |
Transitive |
N/A |
β |
| WS-2023-0439 |
π΄ High |
8.7 |
N/A |
N/A |
axios-0.22.0.tgz |
Transitive |
N/A |
β |
| WS-2023-0439 |
π΄ High |
8.7 |
N/A |
N/A |
axios-0.23.0.tgz |
Transitive |
N/A |
β |
| CVE-2024-21538 |
π΄ High |
7.7 |
Proof of concept |
< 1% |
cross-spawn-7.0.3.tgz |
Transitive |
N/A |
β |
| CVE-2025-12758 |
π΄ High |
7.7 |
Not Defined |
< 1% |
validator-13.7.0.tgz |
Transitive |
N/A |
β |
| CVE-2025-12758 |
π΄ High |
7.7 |
Not Defined |
< 1% |
validator-13.11.0.tgz |
Transitive |
N/A |
β |
| CVE-2025-13033 |
π΄ High |
7.7 |
Not Defined |
< 1% |
nodemailer-6.9.10.tgz |
Transitive |
N/A |
β |
| CVE-2025-14874 |
π΄ High |
7.7 |
Not Defined |
< 1% |
nodemailer-6.9.10.tgz |
Transitive |
N/A |
β |
| CVE-2025-27152 |
π΄ High |
7.7 |
Not Defined |
< 1% |
axios-0.22.0.tgz |
Transitive |
N/A |
β |
| CVE-2025-27152 |
π΄ High |
7.7 |
Not Defined |
< 1% |
axios-0.23.0.tgz |
Transitive |
N/A |
β |
| CVE-2023-45857 |
π΄ High |
7.1 |
Not Defined |
< 1% |
axios-0.23.0.tgz |
Transitive |
N/A |
β |
| CVE-2023-45857 |
π΄ High |
7.1 |
Not Defined |
< 1% |
axios-0.22.0.tgz |
Transitive |
N/A |
β |
| CVE-2024-28849 |
π΄ High |
7.1 |
Not Defined |
< 1% |
follow-redirects-1.15.3.tgz |
Transitive |
N/A |
β |
| CVE-2023-0842 |
π Medium |
6.9 |
Not Defined |
< 1% |
xml2js-0.4.23.tgz |
Transitive |
N/A |
β |
| CVE-2024-47764 |
π Medium |
6.9 |
Not Defined |
< 1% |
cookie-0.4.2.tgz |
Transitive |
N/A |
β |
| CVE-2024-47764 |
π Medium |
6.9 |
Not Defined |
< 1% |
cookie-0.4.0.tgz |
Transitive |
N/A |
β |
| CVE-2024-47764 |
π Medium |
6.9 |
Not Defined |
< 1% |
cookie-0.4.1.tgz |
Transitive |
N/A |
β |
| CVE-2025-13465 |
π Medium |
6.9 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
β |
Details
π£CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- strong-remoting-3.17.0.tgz
- request-2.88.2.tgz
- β form-data-2.3.3.tgz (Vulnerable Library)
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: Jul 18, 2025 04:34 PM
Fix Resolution : form-data - 2.5.4,form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4
π£CVE-2022-29078
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- β ejs-2.7.4.tgz (Vulnerable Library)
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: Apr 25, 2022 02:13 PM
URL: CVE-2022-29078
Threat Assessment
Exploit Maturity:Not Defined
EPSS:93.5%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: Apr 25, 2022 02:13 PM
Fix Resolution : ejs - v3.1.7
π£WS-2021-0153
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- β ejs-2.7.4.tgz (Vulnerable Library)
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: Jan 22, 2021 12:00 AM
URL: WS-2021-0153
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: mde/ejs#571
Release Date: Jan 22, 2021 12:00 AM
Fix Resolution : ejs - 3.1.6
π£WS-2022-0280
Vulnerable Library - moment-timezone-0.5.33.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.33.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β moment-timezone-0.5.33.tgz (Vulnerable Library)
Vulnerability Details
Command Injection in moment-timezone before 0.5.35.
Publish Date: Nov 03, 2024 10:01 AM
URL: WS-2022-0280
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-56x4-j7p9-fcf9
Release Date: Nov 03, 2024 10:01 AM
Fix Resolution : moment-timezone - 0.5.35
π£WS-2022-0284
Vulnerable Library - moment-timezone-0.5.33.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.33.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β moment-timezone-0.5.33.tgz (Vulnerable Library)
Vulnerability Details
Cleartext Transmission of Sensitive Information in moment-timezone
Publish Date: Nov 03, 2024 10:03 AM
URL: WS-2022-0284
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v78c-4p63-2j6c
Release Date: Nov 03, 2024 10:03 AM
Fix Resolution : moment-timezone - 0.5.35
π΄CVE-2022-31129
Vulnerable Library - moment-2.29.3.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: Jul 06, 2022 12:00 AM
URL: CVE-2022-31129
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.4%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: Jul 06, 2022 12:00 AM
Fix Resolution : moment - 2.29.4
π΄CVE-2024-33883
Vulnerable Library - ejs-3.1.9.tgz
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- strong-error-handler-3.5.0.tgz
- β ejs-3.1.9.tgz (Vulnerable Library)
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: Apr 28, 2024 12:00 AM
URL: CVE-2024-33883
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: Apr 28, 2024 12:00 AM
Fix Resolution : ejs - 3.1.10
π΄CVE-2024-33883
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- β ejs-2.7.4.tgz (Vulnerable Library)
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: Apr 28, 2024 12:00 AM
URL: CVE-2024-33883
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: Apr 28, 2024 12:00 AM
Fix Resolution : ejs - 3.1.10
π΄CVE-2024-45590
Vulnerable Library - body-parser-1.20.0.tgz
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: Sep 10, 2024 03:54 PM
URL: CVE-2024-45590
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.4000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-qwcr-r2fm-qrc7
Release Date: Sep 10, 2024 03:54 PM
Fix Resolution : body-parser - 1.20.3
π΄CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: Dec 04, 2025 06:45 PM
URL: CVE-2025-65945
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: Dec 04, 2025 06:45 PM
Fix Resolution : jws - 4.0.1,https://github.com/auth0/node-jws.git - v3.2.3,jws - 3.2.3,https://github.com/auth0/node-jws.git - v4.0.1
π΄CVE-2026-25639
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β axios-0.23.0.tgz (Vulnerable Library)
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 09, 2026 08:11 PM
URL: CVE-2026-25639
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: axios/axios@28c7215
Release Date: Feb 09, 2026 08:11 PM
Fix Resolution : https://github.com/axios/axios.git - v1.13.5
π΄CVE-2026-25639
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- passport-auth0-1.4.2.tgz
- β axios-0.22.0.tgz (Vulnerable Library)
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 09, 2026 08:11 PM
URL: CVE-2026-25639
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: axios/axios@28c7215
Release Date: Feb 09, 2026 08:11 PM
Fix Resolution : https://github.com/axios/axios.git - v1.13.5
π΄CVE-2026-26996
Vulnerable Library - minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- glob-7.2.3.tgz
- β minimatch-3.1.2.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- nodemon-2.0.22.tgz
- β minimatch-3.1.2.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- loopback-datasource-juggler-3.36.1.tgz
- β minimatch-3.1.2.tgz (Vulnerable Library)
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
π΄CVE-2026-26996
Vulnerable Library - minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
π΄WS-2023-0439
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- passport-auth0-1.4.2.tgz
- β axios-0.22.0.tgz (Vulnerable Library)
Vulnerability Details
Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: Oct 25, 2023 09:00 PM
URL: WS-2023-0439
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
π΄WS-2023-0439
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β axios-0.23.0.tgz (Vulnerable Library)
Vulnerability Details
Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: Oct 25, 2023 09:00 PM
URL: WS-2023-0439
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
π΄CVE-2024-21538
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: Nov 08, 2024 05:00 AM
URL: CVE-2024-21538
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538
Release Date: Nov 08, 2024 05:00 AM
Fix Resolution : cross-spawn - 7.0.5,org.webjars.npm:cross-spawn:6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,cross-spawn - 7.0.5,cross-spawn - 6.0.6
π΄CVE-2025-12758
Vulnerable Library - validator-13.7.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.7.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β validator-13.7.0.tgz (Vulnerable Library)
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22
π΄CVE-2025-12758
Vulnerable Library - validator-13.11.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.11.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- β validator-13.11.0.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- β validator-13.11.0.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- express-validator-6.14.1.tgz
- β validator-13.11.0.tgz (Vulnerable Library)
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22
π΄CVE-2025-13033
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Publish Date: Nov 14, 2025 07:37 PM
URL: CVE-2025-13033
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@1150d99
Release Date: Nov 14, 2025 07:37 PM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.7,nodemailer - 7.0.7
π΄CVE-2025-14874
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Publish Date: Dec 18, 2025 08:40 AM
URL: CVE-2025-14874
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@b61b9c0
Release Date: Dec 18, 2025 09:15 AM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.11,nodemailer - 7.0.11
π΄CVE-2025-27152
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- passport-auth0-1.4.2.tgz
- β axios-0.22.0.tgz (Vulnerable Library)
Vulnerability Details
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if β baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Publish Date: Mar 07, 2025 03:13 PM
URL: CVE-2025-27152
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jr5f-v2jv-69x6
Release Date: Mar 07, 2025 03:13 PM
Fix Resolution : axios - 0.30.0,axios - 1.8.2,https://github.com/axios/axios.git - v0.30.0,org.webjars.npm:axios:1.8.3,https://github.com/axios/axios.git - v1.8.2
π΄CVE-2025-27152
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β axios-0.23.0.tgz (Vulnerable Library)
Vulnerability Details
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if β baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Publish Date: Mar 07, 2025 03:13 PM
URL: CVE-2025-27152
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jr5f-v2jv-69x6
Release Date: Mar 07, 2025 03:13 PM
Fix Resolution : axios - 0.30.0,axios - 1.8.2,https://github.com/axios/axios.git - v0.30.0,org.webjars.npm:axios:1.8.3,https://github.com/axios/axios.git - v1.8.2
π΄CVE-2023-45857
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- β axios-0.23.0.tgz (Vulnerable Library)
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: Nov 08, 2023 12:00 AM
URL: CVE-2023-45857
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-wf5p-g6vw-rhxx
Release Date: Nov 08, 2023 12:00 AM
Fix Resolution : axios - 1.6.0,axios - 0.28.0,org.webjars.npm:axios:1.6.0,axios - 1.6.0
π΄CVE-2023-45857
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- passport-auth0-1.4.2.tgz
- β axios-0.22.0.tgz (Vulnerable Library)
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: Nov 08, 2023 12:00 AM
URL: CVE-2023-45857
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-wf5p-g6vw-rhxx
Release Date: Nov 08, 2023 12:00 AM
Fix Resolution : axios - 1.6.0,axios - 0.28.0,org.webjars.npm:axios:1.6.0,axios - 1.6.0
π΄CVE-2024-28849
Vulnerable Library - follow-redirects-1.15.3.tgz
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
follow-redirects is an open source, drop-in replacement for Node's "http" and "https" modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 14, 2024 05:07 PM
URL: CVE-2024-28849
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: Mar 14, 2024 05:07 PM
Fix Resolution : follow-redirects - 1.15.6
π CVE-2023-0842
Vulnerable Library - xml2js-0.4.23.tgz
Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-3.28.0.tgz
- strong-remoting-3.17.0.tgz
- β xml2js-0.4.23.tgz (Vulnerable Library)
Vulnerability Details
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Apr 05, 2023 12:00 AM
URL: CVE-2023-0842
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: Apr 05, 2023 12:00 AM
Fix Resolution : xml2js - 0.5.0
π CVE-2024-47764
Vulnerable Library - cookie-0.4.2.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
π CVE-2024-47764
Vulnerable Library - cookie-0.4.0.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- csurf-1.11.0.tgz
- β cookie-0.4.0.tgz (Vulnerable Library)
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
π CVE-2024-47764
Vulnerable Library - cookie-0.4.1.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- @freecodecamp/api-server-0.0.1.tgz (Root Library)
- cookie-parser-1.4.6.tgz
- β cookie-0.4.1.tgz (Vulnerable Library)
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
π CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
@freecodecamp/client-0.0.1.tgz (Root Library)
- gatsby-3.15.0.tgz
- babel-plugin-lodash-3.3.4.tgz
- β lodash-4.17.21.tgz (Vulnerable Library)
-
@freecodecamp/challenge-parser-0.0.1.tgz (Root Library)
- β lodash-4.17.21.tgz (Vulnerable Library)
-
@freecodecamp/api-0.0.1.tgz (Root Library)
- β lodash-4.17.21.tgz (Vulnerable Library)
-
@freecodecamp/api-server-0.0.1.tgz (Root Library)
- loopback-connector-mongodb-4.2.0.tgz
- loopback-connector-4.11.1.tgz
- strong-globalize-5.1.0.tgz
- β lodash-4.17.21.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
π Vulnerable Library - @freecodecamp/api-server-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /api-server/package.json
Findings
Details
π£CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 18, 2025 04:34 PM
URL: CVE-2025-7783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: Jul 18, 2025 04:34 PM
Fix Resolution : form-data - 2.5.4,form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4
π£CVE-2022-29078
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: Apr 25, 2022 02:13 PM
URL: CVE-2022-29078
Threat Assessment
Exploit Maturity:Not Defined
EPSS:93.5%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: Apr 25, 2022 02:13 PM
Fix Resolution : ejs - v3.1.7
π£WS-2021-0153
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: Jan 22, 2021 12:00 AM
URL: WS-2021-0153
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: mde/ejs#571
Release Date: Jan 22, 2021 12:00 AM
Fix Resolution : ejs - 3.1.6
π£WS-2022-0280
Vulnerable Library - moment-timezone-0.5.33.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.33.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Command Injection in moment-timezone before 0.5.35.
Publish Date: Nov 03, 2024 10:01 AM
URL: WS-2022-0280
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-56x4-j7p9-fcf9
Release Date: Nov 03, 2024 10:01 AM
Fix Resolution : moment-timezone - 0.5.35
π£WS-2022-0284
Vulnerable Library - moment-timezone-0.5.33.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.33.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Cleartext Transmission of Sensitive Information in moment-timezone
Publish Date: Nov 03, 2024 10:03 AM
URL: WS-2022-0284
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v78c-4p63-2j6c
Release Date: Nov 03, 2024 10:03 AM
Fix Resolution : moment-timezone - 0.5.35
π΄CVE-2022-31129
Vulnerable Library - moment-2.29.3.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: Jul 06, 2022 12:00 AM
URL: CVE-2022-31129
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.4%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: Jul 06, 2022 12:00 AM
Fix Resolution : moment - 2.29.4
π΄CVE-2024-33883
Vulnerable Library - ejs-3.1.9.tgz
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: Apr 28, 2024 12:00 AM
URL: CVE-2024-33883
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: Apr 28, 2024 12:00 AM
Fix Resolution : ejs - 3.1.10
π΄CVE-2024-33883
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: Apr 28, 2024 12:00 AM
URL: CVE-2024-33883
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: Apr 28, 2024 12:00 AM
Fix Resolution : ejs - 3.1.10
π΄CVE-2024-45590
Vulnerable Library - body-parser-1.20.0.tgz
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: Sep 10, 2024 03:54 PM
URL: CVE-2024-45590
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.4000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-qwcr-r2fm-qrc7
Release Date: Sep 10, 2024 03:54 PM
Fix Resolution : body-parser - 1.20.3
π΄CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: Dec 04, 2025 06:45 PM
URL: CVE-2025-65945
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: Dec 04, 2025 06:45 PM
Fix Resolution : jws - 4.0.1,https://github.com/auth0/node-jws.git - v3.2.3,jws - 3.2.3,https://github.com/auth0/node-jws.git - v4.0.1
π΄CVE-2026-25639
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 09, 2026 08:11 PM
URL: CVE-2026-25639
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: axios/axios@28c7215
Release Date: Feb 09, 2026 08:11 PM
Fix Resolution : https://github.com/axios/axios.git - v1.13.5
π΄CVE-2026-25639
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 09, 2026 08:11 PM
URL: CVE-2026-25639
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: axios/axios@28c7215
Release Date: Feb 09, 2026 08:11 PM
Fix Resolution : https://github.com/axios/axios.git - v1.13.5
π΄CVE-2026-26996
Vulnerable Library - minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
π΄CVE-2026-26996
Vulnerable Library - minimatch-5.1.6.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1
π΄WS-2023-0439
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: Oct 25, 2023 09:00 PM
URL: WS-2023-0439
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
π΄WS-2023-0439
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: Oct 25, 2023 09:00 PM
URL: WS-2023-0439
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
π΄CVE-2024-21538
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: Nov 08, 2024 05:00 AM
URL: CVE-2024-21538
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538
Release Date: Nov 08, 2024 05:00 AM
Fix Resolution : cross-spawn - 7.0.5,org.webjars.npm:cross-spawn:6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,cross-spawn - 7.0.5,cross-spawn - 6.0.6
π΄CVE-2025-12758
Vulnerable Library - validator-13.7.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.7.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22
π΄CVE-2025-12758
Vulnerable Library - validator-13.11.0.tgz
Library home page: https://registry.npmjs.org/validator/-/validator-13.11.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Publish Date: Nov 27, 2025 05:00 AM
URL: CVE-2025-12758
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: validatorjs/validator.js#2616
Release Date: Nov 27, 2025 05:00 AM
Fix Resolution : validator - 13.15.22,validator - 13.15.22,https://github.com/validatorjs/validator.js.git - 13.15.22
π΄CVE-2025-13033
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Publish Date: Nov 14, 2025 07:37 PM
URL: CVE-2025-13033
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@1150d99
Release Date: Nov 14, 2025 07:37 PM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.7,nodemailer - 7.0.7
π΄CVE-2025-14874
Vulnerable Library - nodemailer-6.9.10.tgz
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Publish Date: Dec 18, 2025 08:40 AM
URL: CVE-2025-14874
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: nodemailer/nodemailer@b61b9c0
Release Date: Dec 18, 2025 09:15 AM
Fix Resolution : https://github.com/nodemailer/nodemailer.git - v7.0.11,nodemailer - 7.0.11
π΄CVE-2025-27152
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if β baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Publish Date: Mar 07, 2025 03:13 PM
URL: CVE-2025-27152
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jr5f-v2jv-69x6
Release Date: Mar 07, 2025 03:13 PM
Fix Resolution : axios - 0.30.0,axios - 1.8.2,https://github.com/axios/axios.git - v0.30.0,org.webjars.npm:axios:1.8.3,https://github.com/axios/axios.git - v1.8.2
π΄CVE-2025-27152
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if β baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Publish Date: Mar 07, 2025 03:13 PM
URL: CVE-2025-27152
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jr5f-v2jv-69x6
Release Date: Mar 07, 2025 03:13 PM
Fix Resolution : axios - 0.30.0,axios - 1.8.2,https://github.com/axios/axios.git - v0.30.0,org.webjars.npm:axios:1.8.3,https://github.com/axios/axios.git - v1.8.2
π΄CVE-2023-45857
Vulnerable Library - axios-0.23.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.23.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: Nov 08, 2023 12:00 AM
URL: CVE-2023-45857
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-wf5p-g6vw-rhxx
Release Date: Nov 08, 2023 12:00 AM
Fix Resolution : axios - 1.6.0,axios - 0.28.0,org.webjars.npm:axios:1.6.0,axios - 1.6.0
π΄CVE-2023-45857
Vulnerable Library - axios-0.22.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.22.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: Nov 08, 2023 12:00 AM
URL: CVE-2023-45857
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-wf5p-g6vw-rhxx
Release Date: Nov 08, 2023 12:00 AM
Fix Resolution : axios - 1.6.0,axios - 0.28.0,org.webjars.npm:axios:1.6.0,axios - 1.6.0
π΄CVE-2024-28849
Vulnerable Library - follow-redirects-1.15.3.tgz
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
follow-redirects is an open source, drop-in replacement for Node's "http" and "https" modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 14, 2024 05:07 PM
URL: CVE-2024-28849
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: Mar 14, 2024 05:07 PM
Fix Resolution : follow-redirects - 1.15.6
π CVE-2023-0842
Vulnerable Library - xml2js-0.4.23.tgz
Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Apr 05, 2023 12:00 AM
URL: CVE-2023-0842
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: Apr 05, 2023 12:00 AM
Fix Resolution : xml2js - 0.5.0
π CVE-2024-47764
Vulnerable Library - cookie-0.4.2.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
π CVE-2024-47764
Vulnerable Library - cookie-0.4.0.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
π CVE-2024-47764
Vulnerable Library - cookie-0.4.1.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
π CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
@freecodecamp/client-0.0.1.tgz (Root Library)
@freecodecamp/challenge-parser-0.0.1.tgz (Root Library)
@freecodecamp/api-0.0.1.tgz (Root Library)
@freecodecamp/api-server-0.0.1.tgz (Root Library)
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :