Vulnerable Library - rn-sample-app-0.0.2-beta.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (rn-sample-app version) |
Remediation Possible** |
| CVE-2026-23950 |
 High |
8.8 |
tar-7.5.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-25547 |
High |
8.6 |
brace-expansion-5.0.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-24842 |
High |
8.2 |
tar-7.5.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-9277 |
High |
8.1 |
shell-quote-1.8.3.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-33671 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2026-27904 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2026-27903 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2026-26996 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2025-64756 |
High |
7.5 |
glob-11.0.3.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-31802 |
High |
7.1 |
tar-7.5.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-29786 |
High |
7.1 |
tar-7.5.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-26960 |
High |
7.1 |
tar-7.5.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-23745 |
High |
7.1 |
tar-7.5.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-33750 |
 Medium |
6.5 |
brace-expansion-1.1.12.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-42338 |
Medium |
5.4 |
ip-address-10.1.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-33672 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2025-64718 |
Medium |
5.3 |
js-yaml-3.14.1.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-23950
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- ❌ tar-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4
CVE-2026-25547
Vulnerable Library - brace-expansion-5.0.0.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- make-fetch-happen-15.0.3.tgz
- cacache-20.0.1.tgz
- glob-11.0.3.tgz
- minimatch-10.1.1.tgz
- ❌ brace-expansion-5.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Publish Date: 2026-02-04
URL: CVE-2026-25547
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-04
Fix Resolution: https://github.com/isaacs/brace-expansion.git - v5.0.1
CVE-2026-24842
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- ❌ tar-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution: tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7
CVE-2026-9277
Vulnerable Library - shell-quote-1.8.3.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- react-devtools-core-6.1.5.tgz
- ❌ shell-quote-1.8.3.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
shell-quote's "quote()" function did not validate object-token inputs against the operator model used by "parse()". The ".op" field was backslash-escaped character by character using "/(.)/g", which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in ".op" therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of "{ op: '...\n...' }" from external input, and (2) via "parse(cmd, envFn)" when "envFn" returns object tokens whose ".op" is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: ".op" must match the parser's control-operator allowlist; "{ op: 'glob', pattern }" validates "pattern" and forbids line terminators; "{ comment }" validates "comment" and forbids line terminators; any other object shape throws "TypeError".
Publish Date: 2026-05-22
URL: CVE-2026-9277
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-22
Fix Resolution: https://github.com/ljharb/shell-quote.git - v1.8.4,shell-quote - 1.8.4
CVE-2026-33671
Vulnerable Libraries - picomatch-4.0.3.tgz, picomatch-2.3.1.tgz
picomatch-4.0.3.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- tinyglobby-0.2.15.tgz
- ❌ picomatch-4.0.3.tgz (Vulnerable Library)
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- anymatch-3.1.3.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
CVE-2026-27904
Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-10.1.1.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
minimatch-10.1.1.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- make-fetch-happen-15.0.3.tgz
- cacache-20.0.1.tgz
- glob-11.0.3.tgz
- ❌ minimatch-10.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
CVE-2026-27903
Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-10.1.1.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
minimatch-10.1.1.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- make-fetch-happen-15.0.3.tgz
- cacache-20.0.1.tgz
- glob-11.0.3.tgz
- ❌ minimatch-10.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6
CVE-2026-26996
Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-10.1.1.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.1.2.tgz (Vulnerable Library)
minimatch-10.1.1.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- make-fetch-happen-15.0.3.tgz
- cacache-20.0.1.tgz
- glob-11.0.3.tgz
- ❌ minimatch-10.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
CVE-2025-64756
Vulnerable Library - glob-11.0.3.tgz
the most correct and second fastest glob implementation in JavaScript
Library home page: https://registry.npmjs.org/glob/-/glob-11.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- make-fetch-happen-15.0.3.tgz
- cacache-20.0.1.tgz
- ❌ glob-11.0.3.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-11-17
URL: CVE-2025-64756
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
CVE-2026-31802
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- ❌ tar-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
CVE-2026-29786
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- ❌ tar-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
CVE-2026-26960
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- ❌ tar-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
CVE-2026-23745
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- ❌ tar-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
CVE-2026-33750
Vulnerable Library - brace-expansion-1.1.12.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- minimatch-3.1.2.tgz
- ❌ brace-expansion-1.1.12.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v2.0.3,https://github.com/juliangruber/brace-expansion.git - v3.0.2,https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13
CVE-2026-42338
Vulnerable Library - ip-address-10.1.0.tgz
A library for parsing IPv4 and IPv6 IP addresses in node and the browser.
Library home page: https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- make-fetch-happen-15.0.3.tgz
- agent-4.0.0.tgz
- socks-proxy-agent-8.0.5.tgz
- socks-2.8.7.tgz
- ❌ ip-address-10.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
Publish Date: 2026-05-12
URL: CVE-2026-42338
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v2v4-37r5-5v8g
Release Date: 2026-05-06
Fix Resolution: ip-address - 10.1.1,https://github.com/beaugunderson/ip-address.git - v10.1.1
CVE-2026-33672
Vulnerable Libraries - picomatch-2.3.1.tgz, picomatch-4.0.3.tgz
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- anymatch-3.1.3.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
picomatch-4.0.3.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- transform-29.7.0.tgz
- jest-haste-map-29.7.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-12.1.0.tgz
- tinyglobby-0.2.15.tgz
- ❌ picomatch-4.0.3.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.
Publish Date: 2026-03-26
URL: CVE-2026-33672
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 3.0.2
CVE-2025-64718
Vulnerable Library - js-yaml-3.14.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rn-sample-app-0.0.2-beta.1.tgz (Root Library)
- react-native-0.80.1.tgz
- babel-jest-29.7.0.tgz
- babel-plugin-istanbul-6.1.1.tgz
- load-nyc-config-1.1.0.tgz
- ❌ js-yaml-3.14.1.tgz (Vulnerable Library)
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.4,tar - 7.5.4
Vulnerable Library - brace-expansion-5.0.0.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Publish Date: 2026-02-04
URL: CVE-2026-25547
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-04
Fix Resolution: https://github.com/isaacs/brace-expansion.git - v5.0.1
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution: tar - 7.5.7,https://github.com/isaacs/node-tar.git - v7.5.7
Vulnerable Library - shell-quote-1.8.3.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
shell-quote's "quote()" function did not validate object-token inputs against the operator model used by "parse()". The ".op" field was backslash-escaped character by character using "/(.)/g", which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in ".op" therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of "{ op: '...\n...' }" from external input, and (2) via "parse(cmd, envFn)" when "envFn" returns object tokens whose ".op" is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: ".op" must match the parser's control-operator allowlist; "{ op: 'glob', pattern }" validates "pattern" and forbids line terminators; "{ comment }" validates "comment" and forbids line terminators; any other object shape throws "TypeError".
Publish Date: 2026-05-22
URL: CVE-2026-9277
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-22
Fix Resolution: https://github.com/ljharb/shell-quote.git - v1.8.4,shell-quote - 1.8.4
Vulnerable Libraries - picomatch-4.0.3.tgz, picomatch-2.3.1.tgz
picomatch-4.0.3.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-10.1.1.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
minimatch-10.1.1.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: 2026-02-26
Fix Resolution: minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-10.1.1.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
minimatch-10.1.1.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: 2026-02-26
URL: CVE-2026-27903
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: 2026-02-26
Fix Resolution: https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6
Vulnerable Libraries - minimatch-3.1.2.tgz, minimatch-10.1.1.tgz
minimatch-3.1.2.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
minimatch-10.1.1.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-26996
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: 2026-02-19
Fix Resolution: https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
Vulnerable Library - glob-11.0.3.tgz
the most correct and second fastest glob implementation in JavaScript
Library home page: https://registry.npmjs.org/glob/-/glob-11.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-11-17
URL: CVE-2025-64756
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
Vulnerable Library - tar-7.5.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Vulnerable Library - brace-expansion-1.1.12.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v2.0.3,https://github.com/juliangruber/brace-expansion.git - v3.0.2,https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13
Vulnerable Library - ip-address-10.1.0.tgz
A library for parsing IPv4 and IPv6 IP addresses in node and the browser.
Library home page: https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
Publish Date: 2026-05-12
URL: CVE-2026-42338
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v2v4-37r5-5v8g
Release Date: 2026-05-06
Fix Resolution: ip-address - 10.1.1,https://github.com/beaugunderson/ip-address.git - v10.1.1
Vulnerable Libraries - picomatch-2.3.1.tgz, picomatch-4.0.3.tgz
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
picomatch-4.0.3.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.
Publish Date: 2026-03-26
URL: CVE-2026-33672
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 3.0.2
Vulnerable Library - js-yaml-3.14.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 070940db9fc3a0878dc3c3a911d70ea7599f16ed
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2