Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| MEDIUM | CVE-2026-53550 | js-yaml | 3.14.2 | 4.2.0 | JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases |
| HIGH | CVE-2020-8203 | lodash | 4.17.14 | 4.17.19 | nodejs-lodash: prototype pollution in zipObjectDeep function |
| HIGH | CVE-2021-23337 | lodash | 4.17.14 | 4.17.21 | nodejs-lodash: command injection via template |
| HIGH | CVE-2026-4800 | lodash | 4.17.14 | 4.18.0 | lodash: lodash: Arbitrary code execution via untrusted input in template imports |
| MEDIUM | CVE-2020-28500 | lodash | 4.17.14 | 4.17.21 | nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions |
| MEDIUM | CVE-2025-13465 | lodash | 4.17.14 | 4.17.23 | lodash: prototype pollution in _.unset and _.omit functions |
| MEDIUM | CVE-2026-2950 | lodash | 4.17.14 | 4.18.0 | lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path |
| HIGH | CVE-2021-3803 | nth-check | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient regular expression complexity |
| MEDIUM | CVE-2023-44270 | postcss | 7.0.39 | 8.4.31 | PostCSS: Improper input validation in PostCSS |
| MEDIUM | CVE-2026-41305 | postcss | 7.0.39 | 8.5.10 | postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags |
| MEDIUM | CVE-2021-3163 | quill | 1.3.7 | No fix | Cross-site Scripting in quill |
| HIGH | GHSA-5c6j-r48x-rmvq | serialize-javascript | 4.0.0 | 7.0.3 | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() |
| HIGH | GHSA-5c6j-r48x-rmvq | serialize-javascript | 6.0.2 | 7.0.3 | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() |
| MEDIUM | CVE-2026-34043 | serialize-javascript | 6.0.2 | 7.0.5 | serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like objec |
| HIGH | CVE-2026-27601 | underscore | 1.13.6 | 1.13.8 | Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual |
| MEDIUM | CVE-2026-41907 | uuid | 8.3.2 | 11.1.1, 12.0.1, 13.0.1 | uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality |
| MEDIUM | CVE-2026-41907 | uuid | 9.0.1 | 11.1.1, 12.0.1, 13.0.1 | uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality |
| MEDIUM | CVE-2025-30359 | webpack-dev-server | 4.15.2 | 5.2.1 | webpack-dev-server: webpack-dev-server information exposure |
| MEDIUM | CVE-2025-30360 | webpack-dev-server | 4.15.2 | 5.2.1 | webpack-dev-server: webpack-dev-server information exposure |
| MEDIUM | CVE-2026-6402 | webpack-dev-server | 4.15.2 | 5.2.4 | webpack-dev-server: webpack-dev-server: Information disclosure due to cross-origin source code expos |
| MEDIUM | CVE-2026-9595 | webpack-dev-server | 4.15.2 | 5.2.5 | webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies |
| Type | File | Line | Match |
|---|---|---|---|
| ✅ No secrets found | |||
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS002 | Image user should not be 'root' | Dockerfile | Specify at least 1 USER command in Dockerfile with non-root user as argument |
| MEDIUM | DS001 | ':latest' tag used | node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile | Specify a tag in the 'FROM' statement for image 'selenium/node-chrome' |
| HIGH | DS002 | Image user should not be 'root' | node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile | Last USER command in Dockerfile should not be 'root' |
| HIGH | DS017 | 'RUN |
node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile | The instruction 'RUN |
| HIGH | DS002 | Image user should not be 'root' | node_modules/jsonpath/Dockerfile | Specify at least 1 USER command in Dockerfile with non-root user as argument |
{
"SchemaVersion": 2,
"CreatedAt": "2026-06-24T07:37:16.340638029Z",
"ArtifactName": "/src",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "package-lock.json",
"Class": "lang-pkgs",
"Type": "npm",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2026-53550",
"PkgID": "js-yaml@3.14.2",
"PkgName": "js-yaml",
"PkgIdentifier": {
"PURL": "pkg:npm/js-yaml@3.14.2"
},
"InstalledVersion": "3.14.2",
"FixedVersion": "4.2.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-53550",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
"Description": "js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-407"
],
"VendorSeverity": {
"ghsa": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://github.com/nodeca/js-yaml",
"https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"
],
"PublishedDate": "2026-06-22T16:16:38.447Z",
"LastModifiedDate": "2026-06-22T16:16:38.447Z"
},
{
"VulnerabilityID": "CVE-2020-8203",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.19",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-lodash: prototype pollution in zipObjectDeep function",
"Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.",
"Severity": "HIGH",
"CweIDs": [
"CWE-770",
"CWE-1321"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ruby-advisory-db": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V3Score": 7.4
},
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V2Score": 5.8,
"V3Score": 7.4
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V3Score": 7.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-8203",
"https://github.com/advisories/GHSA-p6mc-m468-83gw",
"https://github.com/github/advisory-database/pull/2884",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12",
"https://github.com/lodash/lodash/issues/4744",
"https://github.com/lodash/lodash/issues/4874",
"https://github.com/lodash/lodash/wiki/Changelog#v41719",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml",
"https://hackerone.com/reports/712065",
"https://hackerone.com/reports/864701",
"https://nvd.nist.gov/vuln/detail/CVE-2020-8203",
"https://security.netapp.com/advisory/ntap-20200724-0006",
"https://security.netapp.com/advisory/ntap-20200724-0006/",
"https://ubuntu.com/security/notices/USN-8411-1",
"https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744",
"https://www.cve.org/CVERecord?id=CVE-2020-8203",
"https://www.npmjs.com/advisories/1523",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2020-07-15T17:15:11.797Z",
"LastModifiedDate": "2026-06-17T03:26:02.917Z"
},
{
"VulnerabilityID": "CVE-2021-23337",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.21",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-lodash: command injection via template",
"Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
"Severity": "HIGH",
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ruby-advisory-db": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.2
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 6.5,
"V3Score": 7.2
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.2
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-23337",
"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js",
"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851",
"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851",
"https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml",
"https://nvd.nist.gov/vuln/detail/CVE-2021-23337",
"https://security.netapp.com/advisory/ntap-20210312-0006",
"https://security.netapp.com/advisory/ntap-20210312-0006/",
"https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",
"https://snyk.io/vuln/SNYK-JS-LODASH-1040724",
"https://ubuntu.com/security/notices/USN-8411-1",
"https://www.cve.org/CVERecord?id=CVE-2021-23337",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpujul2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2021-02-15T13:15:12.56Z",
"LastModifiedDate": "2026-06-17T03:38:34.773Z"
},
{
"VulnerabilityID": "CVE-2026-4800",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.18.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4800",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "lodash: lodash: Arbitrary code execution via untrusted input in template imports",
"Description": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.",
"Severity": "HIGH",
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"alma": 3,
"ghsa": 3,
"nvd": 4,
"oracle-oval": 3,
"redhat": 3,
"rocky": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2026:10710",
"https://access.redhat.com/security/cve/CVE-2026-4800",
"https://bugzilla.redhat.com/2453496",
"https://bugzilla.redhat.com/show_bug.cgi?id=2431740",
"https://bugzilla.redhat.com/show_bug.cgi?id=2453496",
"https://cna.openjsf.org/security-advisories.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4800",
"https://errata.almalinux.org/9/ALSA-2026-10710.html",
"https://errata.rockylinux.org/RLSA-2026:24331",
"https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
"https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc",
"https://linux.oracle.com/cve/CVE-2026-4800.html",
"https://linux.oracle.com/errata/ELSA-2026-10713.html",
"https://nvd.nist.gov/vuln/detail/CVE-2026-4800",
"https://ubuntu.com/security/notices/USN-8411-1",
"https://www.cve.org/CVERecord?id=CVE-2026-4800"
],
"PublishedDate": "2026-03-31T20:16:29.66Z",
"LastModifiedDate": "2026-06-17T10:57:15.217Z"
},
{
"VulnerabilityID": "CVE-2020-28500",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.21",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions",
"Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.",
"Severity": "MEDIUM",
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-28500",
"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"https://github.com/github/advisory-database/pull/6139",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/blob/npm/trimEnd.js",
"https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8",
"https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8",
"https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a",
"https://github.com/lodash/lodash/pull/5065",
"https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml",
"https://nvd.nist.gov/vuln/detail/CVE-2020-28500",
"https://security.netapp.com/advisory/ntap-20210312-0006",
"https://security.netapp.com/advisory/ntap-20210312-0006/",
"https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895",
"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893",
"https://snyk.io/vuln/SNYK-JS-LODASH-1018905",
"https://ubuntu.com/security/notices/USN-8411-1",
"https://www.cve.org/CVERecord?id=CVE-2020-28500",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpujul2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2021-02-15T11:15:12.397Z",
"LastModifiedDate": "2026-06-17T03:10:32.757Z"
},
{
"VulnerabilityID": "CVE-2025-13465",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.17.23",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-13465",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "lodash: prototype pollution in _.unset and _.omit functions",
"Description": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-1321"
],
"VendorSeverity": {
"alma": 3,
"ghsa": 2,
"nvd": 2,
"oracle-oval": 3,
"redhat": 3,
"rocky": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"V3Score": 6.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"V3Score": 8.2
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2026:2452",
"https://access.redhat.com/security/cve/CVE-2025-13465",
"https://bugzilla.redhat.com/2431740",
"https://bugzilla.redhat.com/show_bug.cgi?id=2431740",
"https://bugzilla.redhat.com/show_bug.cgi?id=2453496",
"https://cert-portal.siemens.com/productcert/html/ssa-253495.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4800",
"https://errata.almalinux.org/9/ALSA-2026-2452.html",
"https://errata.rockylinux.org/RLSA-2026:24331",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81",
"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"https://linux.oracle.com/cve/CVE-2025-13465.html",
"https://linux.oracle.com/errata/ELSA-2026-2452.html",
"https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
"https://ubuntu.com/security/notices/USN-8411-1",
"https://www.cve.org/CVERecord?id=CVE-2025-13465"
],
"PublishedDate": "2026-01-21T20:16:05.25Z",
"LastModifiedDate": "2026-06-17T08:34:11.687Z"
},
{
"VulnerabilityID": "CVE-2026-2950",
"PkgID": "lodash@4.17.14",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.14"
},
"InstalledVersion": "4.17.14",
"FixedVersion": "4.18.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2950",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"Description": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-1321"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"V3Score": 6.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 6.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-2950",
"https://github.com/lodash/lodash",
"https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh",
"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2950",
"https://ubuntu.com/security/notices/USN-8411-1",
"https://www.cve.org/CVERecord?id=CVE-2026-2950"
],
"PublishedDate": "2026-03-31T20:16:26.207Z",
"LastModifiedDate": "2026-06-17T10:32:05.873Z"
},
{
"VulnerabilityID": "CVE-2021-3803",
"PkgID": "nth-check@1.0.2",
"PkgName": "nth-check",
"PkgIdentifier": {
"PURL": "pkg:npm/nth-check@1.0.2"
},
"InstalledVersion": "1.0.2",
"FixedVersion": "2.0.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3803",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "nodejs-nth-check: inefficient regular expression complexity",
"Description": "nth-check is vulnerable to Inefficient Regular Expression Complexity",
"Severity": "HIGH",
"CweIDs": [
"CWE-1333"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-3803",
"https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"https://github.com/fb55/nth-check",
"https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726",
"https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1)",
"https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0",
"https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0/",
"https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3803",
"https://ubuntu.com/security/notices/USN-6114-1",
"https://www.cve.org/CVERecord?id=CVE-2021-3803"
],
"PublishedDate": "2021-09-17T07:15:09.153Z",
"LastModifiedDate": "2026-06-17T04:05:47.91Z"
},
{
"VulnerabilityID": "CVE-2023-44270",
"PkgID": "postcss@7.0.39",
"PkgName": "postcss",
"PkgIdentifier": {
"PURL": "pkg:npm/postcss@7.0.39"
},
"InstalledVersion": "7.0.39",
"FixedVersion": "8.4.31",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44270",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "PostCSS: Improper input validation in PostCSS",
"Description": "An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-74"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2023-44270",
"https://github.com/github/advisory-database/issues/2820",
"https://github.com/postcss/postcss",
"https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25",
"https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5",
"https://github.com/postcss/postcss/releases/tag/8.4.31",
"https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html",
"https://nvd.nist.gov/vuln/detail/CVE-2023-44270",
"https://www.cve.org/CVERecord?id=CVE-2023-44270"
],
"PublishedDate": "2023-09-29T22:15:11.867Z",
"LastModifiedDate": "2026-06-17T06:27:15.69Z"
},
{
"VulnerabilityID": "CVE-2026-41305",
"PkgID": "postcss@7.0.39",
"PkgName": "postcss",
"PkgIdentifier": {
"PURL": "pkg:npm/postcss@7.0.39"
},
"InstalledVersion": "7.0.39",
"FixedVersion": "8.5.10",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41305",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags",
"Description": "PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"ghsa": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V3Score": 6.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V3Score": 6.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-41305",
"https://github.com/postcss/postcss",
"https://github.com/postcss/postcss/releases/tag/8.5.10",
"https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93",
"https://nvd.nist.gov/vuln/detail/CVE-2026-41305",
"https://www.cve.org/CVERecord?id=CVE-2026-41305"
],
"PublishedDate": "2026-04-24T03:16:11.547Z",
"LastModifiedDate": "2026-06-17T10:46:28.7Z"
},
{
"VulnerabilityID": "CVE-2021-3163",
"PkgID": "quill@1.3.7",
"PkgName": "quill",
"PkgIdentifier": {
"PURL": "pkg:npm/quill@1.3.7"
},
"InstalledVersion": "1.3.7",
"Status": "affected",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3163",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Cross-site Scripting in quill",
"Description": "A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.2
},
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
}
},
"References": [
"https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html",
"https://github.com/quilljs/quill",
"https://github.com/quilljs/quill/issues/3273",
"https://github.com/quilljs/quill/issues/3359",
"https://github.com/quilljs/quill/issues/3364",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3163",
"https://quilljs.com"
],
"PublishedDate": "2021-04-12T21:15:14.34Z",
"LastModifiedDate": "2026-06-17T04:04:46.467Z"
},
{
"VulnerabilityID": "GHSA-5c6j-r48x-rmvq",
"PkgID": "serialize-javascript@4.0.0",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@4.0.0"
},
"InstalledVersion": "4.0.0",
"FixedVersion": "7.0.3",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"Description": "### Impact\n\nThe serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.\n\nWhile `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`.\n\nIf an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `<script>` tags), the injected code executes.\n\n```javascript\nconst serialize = require('serialize-javascript');\n// Create an object that passes instanceof RegExp with a spoofed .flags\nconst fakeRegex = Object.create(RegExp.prototype);\nObject.defineProperty(fakeRegex, 'source', { get: () => 'x' });\nObject.defineProperty(fakeRegex, 'flags', {\n get: () => '\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"'\n});\nfakeRegex.toJSON = function() { return '@placeholder'; };\nconst output = serialize({ re: fakeRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\")}\nlet obj;\neval('obj = ' + output);\nconsole.log(global.PWNED); // \"CODE_INJECTION_VIA_FLAGS\" \u2014 injected code executed!\n#h2. PoC 2: Code Injection via Date.toISOString()\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst fakeDate = Object.create(Date.prototype);\nfakeDate.toISOString = function() { return '\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"'; };\nfakeDate.toJSON = function() { return '2024-01-01'; };\nconst output = serialize({ d: fakeDate });\n// Output: {\"d\":new Date(\"\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\")}\neval('obj = ' + output);\nconsole.log(global.DATE_PWNED); // \"DATE_INJECTION\" \u2014 injected code executed!\n#h2. PoC 3: Remote Code Execution\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst rceRegex = Object.create(RegExp.prototype);\nObject.defineProperty(rceRegex, 'source', { get: () => 'x' });\nObject.defineProperty(rceRegex, 'flags', {\n get: () => '\"+require(\"child_process\").execSync(\"id\").toString()+\"'\n});\nrceRegex.toJSON = function() { return '@rce'; };\nconst output = serialize({ re: rceRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+require(\"child_process\").execSync(\"id\").toString()+\"\")}\n// When eval'd on a Node.js server, executes the \"id\" system command\n```\n\n### Patches\n\nThe fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://github.com/advisories/GHSA-hxcc-f52p-wc94",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq",
"https://nvd.nist.gov/vuln/detail/CVE-2020-7660"
],
"PublishedDate": "2026-02-28T02:50:45Z",
"LastModifiedDate": "2026-03-02T16:17:35Z"
},
{
"VulnerabilityID": "GHSA-5c6j-r48x-rmvq",
"PkgID": "serialize-javascript@6.0.2",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@6.0.2"
},
"InstalledVersion": "6.0.2",
"FixedVersion": "7.0.3",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"Description": "### Impact\n\nThe serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.\n\nWhile `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`.\n\nIf an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `<script>` tags), the injected code executes.\n\n```javascript\nconst serialize = require('serialize-javascript');\n// Create an object that passes instanceof RegExp with a spoofed .flags\nconst fakeRegex = Object.create(RegExp.prototype);\nObject.defineProperty(fakeRegex, 'source', { get: () => 'x' });\nObject.defineProperty(fakeRegex, 'flags', {\n get: () => '\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"'\n});\nfakeRegex.toJSON = function() { return '@placeholder'; };\nconst output = serialize({ re: fakeRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\")}\nlet obj;\neval('obj = ' + output);\nconsole.log(global.PWNED); // \"CODE_INJECTION_VIA_FLAGS\" \u2014 injected code executed!\n#h2. PoC 2: Code Injection via Date.toISOString()\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst fakeDate = Object.create(Date.prototype);\nfakeDate.toISOString = function() { return '\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"'; };\nfakeDate.toJSON = function() { return '2024-01-01'; };\nconst output = serialize({ d: fakeDate });\n// Output: {\"d\":new Date(\"\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\")}\neval('obj = ' + output);\nconsole.log(global.DATE_PWNED); // \"DATE_INJECTION\" \u2014 injected code executed!\n#h2. PoC 3: Remote Code Execution\n```\n\n```javascript\nconst serialize = require('serialize-javascript');\nconst rceRegex = Object.create(RegExp.prototype);\nObject.defineProperty(rceRegex, 'source', { get: () => 'x' });\nObject.defineProperty(rceRegex, 'flags', {\n get: () => '\"+require(\"child_process\").execSync(\"id\").toString()+\"'\n});\nrceRegex.toJSON = function() { return '@rce'; };\nconst output = serialize({ re: rceRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+require(\"child_process\").execSync(\"id\").toString()+\"\")}\n// When eval'd on a Node.js server, executes the \"id\" system command\n```\n\n### Patches\n\nThe fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://github.com/advisories/GHSA-hxcc-f52p-wc94",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq",
"https://nvd.nist.gov/vuln/detail/CVE-2020-7660"
],
"PublishedDate": "2026-02-28T02:50:45Z",
"LastModifiedDate": "2026-03-02T16:17:35Z"
},
{
"VulnerabilityID": "CVE-2026-34043",
"PkgID": "serialize-javascript@6.0.2",
"PkgName": "serialize-javascript",
"PkgIdentifier": {
"PURL": "pkg:npm/serialize-javascript@6.0.2"
},
"InstalledVersion": "6.0.2",
"FixedVersion": "7.0.5",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34043",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization",
"Description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted \"array-like\" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-400",
"CWE-834"
],
"VendorSeverity": {
"alma": 3,
"ghsa": 2,
"nvd": 3,
"oracle-oval": 3,
"redhat": 2,
"rocky": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2026:21293",
"https://access.redhat.com/security/cve/CVE-2026-34043",
"https://bugzilla.redhat.com/2453284",
"https://bugzilla.redhat.com/2476605",
"https://bugzilla.redhat.com/show_bug.cgi?id=2453284",
"https://bugzilla.redhat.com/show_bug.cgi?id=2476605",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34043",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42899",
"https://errata.almalinux.org/9/ALSA-2026-21293.html",
"https://errata.rockylinux.org/RLSA-2026:21291",
"https://github.com/yahoo/serialize-javascript",
"https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b",
"https://github.com/yahoo/serialize-javascript/releases/tag/v5.0.0",
"https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5",
"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v",
"https://linux.oracle.com/cve/CVE-2026-34043.html",
"https://linux.oracle.com/errata/ELSA-2026-21291.html",
"https://nvd.nist.gov/vuln/detail/CVE-2026-34043",
"https://www.cve.org/CVERecord?id=CVE-2026-34043"
],
"PublishedDate": "2026-03-31T03:15:58.4Z",
"LastModifiedDate": "2026-06-17T10:38:28.74Z"
},
{
"VulnerabilityID": "CVE-2026-27601",
"PkgID": "underscore@1.13.6",
"PkgName": "underscore",
"PkgIdentifier": {
"PURL": "pkg:npm/underscore@1.13.6"
},
"InstalledVersion": "1.13.6",
"FixedVersion": "1.13.8",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27601",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions",
"Description": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.",
"Severity": "HIGH",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-27601",
"https://github.com/jashkenas/underscore",
"https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4",
"https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84",
"https://github.com/jashkenas/underscore/issues/3011",
"https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw",
"https://nvd.nist.gov/vuln/detail/CVE-2026-27601",
"https://underscorejs.org/#1.13.8",
"https://underscorejs.org/#flatten",
"https://underscorejs.org/#isEqual",
"https://www.cve.org/CVERecord?id=CVE-2026-27601"
],
"PublishedDate": "2026-03-03T23:15:55.56Z",
"LastModifiedDate": "2026-06-17T10:27:22.407Z"
},
{
"VulnerabilityID": "CVE-2026-41907",
"PkgID": "uuid@8.3.2",
"PkgName": "uuid",
"PkgIdentifier": {
"PURL": "pkg:npm/uuid@8.3.2"
},
"InstalledVersion": "8.3.2",
"FixedVersion": "11.1.1, 12.0.1, 13.0.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41907",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality",
"Description": "uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787",
"CWE-823"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 3,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"V3Score": 4.8
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-41907",
"https://github.com/uuidjs/uuid",
"https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e",
"https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34",
"https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d",
"https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a",
"https://github.com/uuidjs/uuid/releases/tag/v11.1.1",
"https://github.com/uuidjs/uuid/releases/tag/v12.0.1",
"https://github.com/uuidjs/uuid/releases/tag/v13.0.1",
"https://github.com/uuidjs/uuid/releases/tag/v14.0.0",
"https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq",
"https://nvd.nist.gov/vuln/detail/CVE-2026-41907",
"https://www.cve.org/CVERecord?id=CVE-2026-41907"
],
"PublishedDate": "2026-04-24T19:17:14.49Z",
"LastModifiedDate": "2026-06-17T10:47:10.473Z"
},
{
"VulnerabilityID": "CVE-2026-41907",
"PkgID": "uuid@9.0.1",
"PkgName": "uuid",
"PkgIdentifier": {
"PURL": "pkg:npm/uuid@9.0.1"
},
"InstalledVersion": "9.0.1",
"FixedVersion": "11.1.1, 12.0.1, 13.0.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41907",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality",
"Description": "uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787",
"CWE-823"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 3,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"V3Score": 4.8
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-41907",
"https://github.com/uuidjs/uuid",
"https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e",
"https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34",
"https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d",
"https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a",
"https://github.com/uuidjs/uuid/releases/tag/v11.1.1",
"https://github.com/uuidjs/uuid/releases/tag/v12.0.1",
"https://github.com/uuidjs/uuid/releases/tag/v13.0.1",
"https://github.com/uuidjs/uuid/releases/tag/v14.0.0",
"https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq",
"https://nvd.nist.gov/vuln/detail/CVE-2026-41907",
"https://www.cve.org/CVERecord?id=CVE-2026-41907"
],
"PublishedDate": "2026-04-24T19:17:14.49Z",
"LastModifiedDate": "2026-06-17T10:47:10.473Z"
},
{
"VulnerabilityID": "CVE-2025-30359",
"PkgID": "webpack-dev-server@4.15.2",
"PkgName": "webpack-dev-server",
"PkgIdentifier": {
"PURL": "pkg:npm/webpack-dev-server@4.15.2"
},
"InstalledVersion": "4.15.2",
"FixedVersion": "5.2.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-30359",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "webpack-dev-server: webpack-dev-server information exposure",
"Description": "webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-749"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 5.3
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.9
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-30359",
"https://github.com/webpack/webpack-dev-server",
"https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e",
"https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v",
"https://nvd.nist.gov/vuln/detail/CVE-2025-30359",
"https://www.cve.org/CVERecord?id=CVE-2025-30359"
],
"PublishedDate": "2025-06-03T18:15:25.243Z",
"LastModifiedDate": "2026-06-17T09:08:34.797Z"
},
{
"VulnerabilityID": "CVE-2025-30360",
"PkgID": "webpack-dev-server@4.15.2",
"PkgName": "webpack-dev-server",
"PkgIdentifier": {
"PURL": "pkg:npm/webpack-dev-server@4.15.2"
},
"InstalledVersion": "4.15.2",
"FixedVersion": "5.2.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-30360",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "webpack-dev-server: webpack-dev-server information exposure",
"Description": "webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-346"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-30360",
"https://github.com/webpack/webpack-dev-server",
"https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127",
"https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e",
"https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb",
"https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h",
"https://nvd.nist.gov/vuln/detail/CVE-2025-30360",
"https://www.cve.org/CVERecord?id=CVE-2025-30360"
],
"PublishedDate": "2025-06-03T18:15:25.41Z",
"LastModifiedDate": "2026-06-17T09:08:34.903Z"
},
{
"VulnerabilityID": "CVE-2026-6402",
"PkgID": "webpack-dev-server@4.15.2",
"PkgName": "webpack-dev-server",
"PkgIdentifier": {
"PURL": "pkg:npm/webpack-dev-server@4.15.2"
},
"InstalledVersion": "4.15.2",
"FixedVersion": "5.2.4",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-6402",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "webpack-dev-server: webpack-dev-server: Information disclosure due to cross-origin source code exposure",
"Description": "webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-749"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 5.3
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-6402",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/webpack/webpack-dev-server",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h",
"https://nvd.nist.gov/vuln/detail/CVE-2026-6402",
"https://www.cve.org/CVERecord?id=CVE-2026-6402"
],
"PublishedDate": "2026-05-12T09:16:55.64Z",
"LastModifiedDate": "2026-06-17T11:00:47.087Z"
},
{
"VulnerabilityID": "CVE-2026-9595",
"PkgID": "webpack-dev-server@4.15.2",
"PkgName": "webpack-dev-server",
"PkgIdentifier": {
"PURL": "pkg:npm/webpack-dev-server@4.15.2"
},
"InstalledVersion": "4.15.2",
"FixedVersion": "5.2.5",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-9595",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies",
"Description": "Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\nPatches: Fixed in webpack-dev-server@5.2.5.\n\nWorkarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-346",
"CWE-441"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 4.3
}
},
"References": [
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/facebook/create-react-app/pull/7444",
"https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb",
"https://github.com/webpack/webpack-dev-server",
"https://github.com/webpack/webpack-dev-server/pull/4316",
"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79",
"https://nvd.nist.gov/vuln/detail/CVE-2026-9595"
],
"PublishedDate": "2026-06-15T16:16:35.227Z",
"LastModifiedDate": "2026-06-17T11:05:31.643Z"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
{
"Target": "node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 3,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS001",
"AVDID": "AVD-DS-0001",
"Title": "':latest' tag used",
"Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.",
"Message": "Specify a tag in the 'FROM' statement for image 'selenium/node-chrome'",
"Namespace": "builtin.dockerfile.DS001",
"Query": "data.builtin.dockerfile.DS001.deny",
"Resolution": "Add a tag to the image in the 'FROM' statement",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds001",
"References": [
"https://avd.aquasec.com/misconfig/ds001"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 1,
"EndLine": 1,
"Code": {
"Lines": [
{
"Number": 1,
"Content": "FROM selenium/node-chrome:latest",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m selenium/node-chrome:latest",
"FirstCause": true,
"LastCause": true
}
]
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Last USER command in Dockerfile should not be 'root'",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 3,
"EndLine": 3,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "USER root",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mUSER\u001b[0m\u001b[38;5;37m root",
"FirstCause": true,
"LastCause": true
}
]
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS017",
"AVDID": "AVD-DS-0017",
"Title": "'RUN <package-manager> update' instruction alone",
"Description": "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.",
"Message": "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.",
"Namespace": "builtin.dockerfile.DS017",
"Query": "data.builtin.dockerfile.DS017.deny",
"Resolution": "Combine '<package-manager> update' and '<package-manager> install' instructions to single one",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds017",
"References": [
"https://docs.docker.com/develop/develop-images/instructions/#run",
"https://avd.aquasec.com/misconfig/ds017"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 5,
"EndLine": 8,
"Code": {
"Lines": [
{
"Number": 5,
"Content": "RUN apt-get update -qqy \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update -qqy \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " && rm -rf /var/lib/apt/lists/* /var/cache/apt/* \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm -rf /var/lib/apt/lists/* /var/cache/apt/* \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " && rm /bin/sh && ln -s /bin/bash /bin/sh \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm /bin/sh \u001b[38;5;245m&&\u001b[0m ln -s /bin/bash /bin/sh \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " && chown seluser /usr/local",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m chown seluser /usr/local",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
},
{
"Target": "node_modules/jsonpath/Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}