airtable-0.8.1.tgz: 7 vulnerabilities (highest severity is: 8.7) #1
Description
Vulnerable Library - airtable-0.8.1.tgz
The official Airtable JavaScript library.
Library home page: https://registry.npmjs.org/airtable/-/airtable-0.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/airtable/package.json
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (airtable version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-7783 |  High |
8.7 | form-data-2.3.3.tgz | Transitive | 0.9.0 | ✅ |
| CVE-2022-46155 | High |
7.6 | airtable-0.8.1.tgz | Direct | N/A | ❌ |
| CVE-2020-8203 | High |
7.4 | lodash-4.17.15.tgz | Transitive | 0.10.0 | ✅ |
| CVE-2021-23337 | High |
7.2 | lodash-4.17.15.tgz | Transitive | 0.10.1 | ✅ |
| CVE-2023-26136 |  Medium |
6.5 | tough-cookie-2.4.3.tgz | Transitive | 0.9.0 | ✅ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.0.tgz | Transitive | N/A* | ❌ |
| CVE-2020-28500 | Medium |
5.3 | lodash-4.17.15.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/node_modules/form-data/package.json
Dependency Hierarchy:
- airtable-0.8.1.tgz (Root Library)
- request-2.88.0.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
- request-2.88.0.tgz
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-07-18
Fix Resolution (form-data): 2.5.4
Direct dependency fix Resolution (airtable): 0.9.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-46155
Vulnerable Library - airtable-0.8.1.tgz
The official Airtable JavaScript library.
Library home page: https://registry.npmjs.org/airtable/-/airtable-0.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/airtable/package.json
Dependency Hierarchy:
- ❌ airtable-0.8.1.tgz (Vulnerable Library)
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the "npm prepare" script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code.
Publish Date: 2022-11-29
URL: CVE-2022-46155
CVSS 3 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2020-8203
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- airtable-0.8.1.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (airtable): 0.10.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23337
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- airtable-0.8.1.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (airtable): 0.10.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-26136
Vulnerable Library - tough-cookie-2.4.3.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy:
- airtable-0.8.1.tgz (Root Library)
- request-2.88.0.tgz
- ❌ tough-cookie-2.4.3.tgz (Vulnerable Library)
- request-2.88.0.tgz
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (airtable): 0.9.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-28155
Vulnerable Library - request-2.88.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- airtable-0.8.1.tgz (Root Library)
- ❌ request-2.88.0.tgz (Vulnerable Library)
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2020-28500
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- airtable-0.8.1.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: e75f5f4d7e01b676deab2951e9b35356d6d6eabf
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
⛑️Automatic Remediation will be attempted for this issue.