react-dev-utils-12.0.1.tgz: 2 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - react-dev-utils-12.0.1.tgz

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-dev-utils version)	Remediation Possible**	Reachability
CVE-2022-37603	High	7.5	loader-utils-3.2.0.tgz	Transitive	N/A*	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37603

Vulnerable Library - loader-utils-3.2.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-3.2.0.tgz

Dependency Hierarchy:

• react-dev-utils-12.0.1.tgz (Root Library)
  • ❌ loader-utils-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Dependency Hierarchy:

• react-dev-utils-12.0.1.tgz (Root Library)
  • global-modules-2.0.0.tgz
    • global-prefix-3.0.0.tgz
      • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-12-30

Fix Resolution: kind-of - 6.0.3