graphql-upload-13.0.0.tgz: 1 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - graphql-upload-13.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 69dcf397ab80cb4df4a7de7af9bec441aa22589e

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (graphql-upload version)	Remediation Possible**
CVE-2022-24434	High	7.5	dicer-0.3.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24434

Vulnerable Library - dicer-0.3.0.tgz

A very fast streaming multipart parser for node.js

Library home page: https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• graphql-upload-13.0.0.tgz (Root Library)
  • busboy-0.3.1.tgz
    • ❌ dicer-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 69dcf397ab80cb4df4a7de7af9bec441aa22589e

Found in base branch: next

Vulnerability Details

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Publish Date: 2022-05-20

URL: CVE-2022-24434

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here